-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3969 / XSA-98 version 5 insufficient permissions checks accessing guest memory on ARM UPDATES IN VERSION 5 ==================== The issue described in update 4 also affects Xen 4.5 which was not released at the time of the original advisory. The extra patch supplied with version 4 of this advisory is for Xen 4.5.x (as well as 4.4.x and xen-unstable). Added credits for updated issue. UPDATES IN VERSION 4 ==================== Supply an additional patch for arm64. The original patches had the permissions check backwards, meaning that a guest could read a write-only mapping and vice versa, rendering the original fix ineffective an inparticular not closing down the ability for a guest to write to a readonly page via the hypervisor. This issue was discussed on a public IRC channel and therefore it has been agreed with the discoverer that it should not subject to a new embargo. 32-bit ARM systems are not affected by this mistake; the original fix remains correct for 32-bit. ISSUE DESCRIPTION ================= When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read. A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit). In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses. In the event that a guest executes code from a page which has been shared read-only with another guest it would be possible to mount a take over attack on that guest. IMPACT ====== A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain. In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. The additional issue reported in update 4 was discovered by Tamas K Lengyel. RESOLUTION ========== Applying the appropriate pair of attached patches along with the additional update resolves this issue. xsa98-unstable-{01,02}.patch xen-unstable xsa98-4.4-{01,02}.patch Xen 4.4.x xsa98-update.patch Additional update for unstable, 4.5.x and 4.4.x $ sha256sum xsa98*.patch b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb xsa98-unstable-01.patch f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67 xsa98-unstable-02.patch 6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b xsa98-4.4-01.patch b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d xsa98-4.4-02.patch 8bb4a23174c0c9b1a23a41d4669900877483fd526d331d0c377c32845feb2eb8 xsa98-update.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVAwlFAAoJEIP+FMlX6CvZBGMH/1qZuF20x5mfSn9TPDXJZrU4 dc6Jab7VDISnfy2CkLPsyLeaOolWm34HgP0a+vggInuxtKmo7TIvoJBUVi6ndsJI mqSWsoUvOl6PthAB1/4WNH2e/wySxBLFEwQWnUZRXxW32LrQzb+rVcJvvHjZiYKR p7NYKYklCZDKhmX5DdANjO1RDg561UnenEMsgUbOdyjsk2s8o+/ni927ZUzhnxQe NY9LqpgOyjBLb+5tStq2v03A+ax7mgzRMQLYlWsuY+Vt08HQsPuEPxN9JNkpmEwb A46OICRNMEwzKmt6ZKpYJSibiffHAMm5aeRd2SalpUjlIAg67H/LHf0vV/4bJ9o= =igf6 -----END PGP SIGNATURE-----