|Public release ||2015-12-17 12:00|
|Updated ||2015-12-17 12:38|
|CVE(s) ||none (yet) assigned|
|Title ||ioreq handling possibly susceptible to multiple read issue|
Filesadvisory-166.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory XSA-166
ioreq handling possibly susceptible to multiple read issue
UPDATES IN VERSION 2
Single memory accesses in source code can be translated to multiple
ones in machine code by the compiler, requiring special caution when
accessing shared memory. Such precaution was missing from the
hypervisor code inspecting the state of I/O requests sent to the device
model for assistance.
Due to the offending field being a bitfield, it is however believed
that there is no issue in practice, since compilers, at least when
optimizing (which is always the case for non-debug builds), should find
it more expensive to extract the bit field value twice than to keep the
calculated value in a register.
This vulnerability is exposed to malicious device models. In
conventional Xen systems this means the qemu which service an HVM
domain. On such systems this vulnerability can only be exploited if
the attacker has gained control of the device model qemu via another
Privilege escalation, host crash (Denial of Service), and leaked
information all cannot be excluded.
All Xen versions are affected.
Only x86 variants of Xen are susceptible. ARM variants are not
Only HVM guests expose this vulnerability.
Running only PV guests will avoid this issue.
This issue was discovered by Konrad Rzeszutek Wilk of Oracle and Jan
Beulich of SUSE while investigating the issues arising from XSA-155.
XSA-155 was discovered by Felix Wilhelm of ERNW.
Applying the appropriate attached patch resolves this issue.
xsa166.patch xen-unstable, Xen 4.6.x
xsa166-4.5.patch Xen 4.5.x
xsa166-4.4.patch Xen 4.4.x
xsa166-4.3.patch Xen 4.3.x
$ sha256sum xsa166*
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
NOTE REGARDING SHORT EMBARGO
This issue was encountered by the Security Team during investigations
of the scope and impact of XSA-155. Accordingly XSA-166 is embargoed
and the embargo will end at the same time as that of XSA-155.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team