Information

Advisory XSA-216
Public release 2017-06-20 11:58
Updated 2017-07-07 13:52
Version 5
CVE(s) CVE-2017-10911
Title blkif responses leak backend stack data

Files

advisory-216.txt (signed advisory file)
xsa216-linux-2.6.18-xen.patch
xsa216-linux-4.4.patch
xsa216-linux-4.11.patch
xsa216-qemuu.patch
xsa216-qemuu-4.5.patch
xsa216-qemuu-4.7.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2017-10911 / XSA-216
                              version 5

                blkif responses leak backend stack data

UPDATES IN VERSION 5
====================

CVE assigned.

ISSUE DESCRIPTION
=================

The block interface response structure has some discontiguous fields.
Certain backends populate the structure fields of an otherwise
uninitialized instance of this structure on their stacks, leaking
data through the (internal or trailing) padding field.

IMPACT
======

A malicious unprivileged guest may be able to obtain sensitive
information from the host or other guests.

VULNERABLE SYSTEMS
==================

All Linux versions supporting the xen-blkback, blkback, or blktap
drivers are vulnerable.

FreeBSD, NetBSD and Windows (with or without PV drivers) are not
vulnerable (either because they do not have backends at all, or
because they use a different implementation technique which does not
suffer from this problem).

All qemu versions supporting the Xen block backend are vulnerable.  The
qemu-xen-traditional code base does not include such code, so is not
vulnerable.  Note that an instance of qemu will be spawned to provide
the backend for most non-raw-format disks; so you may need to apply the
patch to qemu even if you use only PV guests.

MITIGATION
==========

There's no mitigation available for x86 PV and ARM guests.

For x86 HVM guests it may be possible to change the guest
configuaration such that a fully virtualized disk is being made
available instead.  However, this would normally entail changes inside
the guest itself.

CREDITS
=======

This issue was discovered by Anthony Perard of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa216-linux-4.11.patch           Linux 4.5 ... 4.11
xsa216-linux-4.4.patch            Linux 3.3 ... 4.4
xsa216-qemuu.patch                qemu-upstream master, 4.8
xsa216-qemuu-4.7.patch            qemu-upstream 4.7, 4.6
xsa216-qemuu-4.5.patch            qemu-upstream 4.5
xsa216-linux-2.6.18-xen.patch     linux-2.6.18-xen.hg

$ sha256sum xsa216*
d316e16f8da2078966e9d7d516dd0a9ed5a29c3bc479974374c8fa778859913d  xsa216-linux-2.6.18-xen.patch
4440fe324b61baf0f3f5a73352c4d9ac6f94917e216d8421263a5e67445852db  xsa216-linux-4.4.patch
eb24bfc0303e13e08fd3710463aea139a92a3f83db7f35119c4d3831154a6453  xsa216-linux-4.11.patch
b4b8f68fa05d718c5be7023c84d942e43725bcc563ea15556ee9646f6f9bf7e7  xsa216-qemuu.patch
4fc3665ff07ec79fb31ac66a3fd360a45b7ec546c549c04284f0128ad0c5beba  xsa216-qemuu-4.5.patch
a0e0dfd5ea2643ae14c220124194388017a3656db3e6ce430913cda800c43aad  xsa216-qemuu-4.7.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

However, deployment of the mitigation is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.  This is because this produces a guest-visible
change which will indicate which component contains the vulnerability.

Additionally, distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJZX5IiAAoJEIP+FMlX6CvZdK8IALydeCfUgLpTzeVaRidXkO9M
dlChA1fXn5ZRlQxvGGIzatkl2Em99+JfIyW21AoVqFAyIYbYkbV7zmp82HpHAZfB
Ib5tFUS4ki1paXXcBtQSvgsz7Sxh5obZnCzyguOcSthZ0/Ude5mh9ImsnKepNxQi
GbMBY9xsBv+tclRLiaGUIBgKwtNc0AXpQhWAkbAEWjdYSN2CGsS37Z9Hi0GOoID/
Z49g7/shKDyrHxR1ph0uFqZOkCW8Um3qpORzwHIwpsqleY7Y5E9Ib/QXDOV7wJ1m
IDhkSmYf6kXjJ1yhwjRw4UgsGWj/TDyi9d6HxYU9DVHY1b5lWuNjbbyeMuVpR8A=
=18b8
-----END PGP SIGNATURE-----

Xenproject.org Security Team