-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-10911 / XSA-216 version 5 blkif responses leak backend stack data UPDATES IN VERSION 5 ==================== CVE assigned. ISSUE DESCRIPTION ================= The block interface response structure has some discontiguous fields. Certain backends populate the structure fields of an otherwise uninitialized instance of this structure on their stacks, leaking data through the (internal or trailing) padding field. IMPACT ====== A malicious unprivileged guest may be able to obtain sensitive information from the host or other guests. VULNERABLE SYSTEMS ================== All Linux versions supporting the xen-blkback, blkback, or blktap drivers are vulnerable. FreeBSD, NetBSD and Windows (with or without PV drivers) are not vulnerable (either because they do not have backends at all, or because they use a different implementation technique which does not suffer from this problem). All qemu versions supporting the Xen block backend are vulnerable. The qemu-xen-traditional code base does not include such code, so is not vulnerable. Note that an instance of qemu will be spawned to provide the backend for most non-raw-format disks; so you may need to apply the patch to qemu even if you use only PV guests. MITIGATION ========== There's no mitigation available for x86 PV and ARM guests. For x86 HVM guests it may be possible to change the guest configuaration such that a fully virtualized disk is being made available instead. However, this would normally entail changes inside the guest itself. CREDITS ======= This issue was discovered by Anthony Perard of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa216-linux-4.11.patch Linux 4.5 ... 4.11 xsa216-linux-4.4.patch Linux 3.3 ... 4.4 xsa216-qemuu.patch qemu-upstream master, 4.8 xsa216-qemuu-4.7.patch qemu-upstream 4.7, 4.6 xsa216-qemuu-4.5.patch qemu-upstream 4.5 xsa216-linux-2.6.18-xen.patch linux-2.6.18-xen.hg $ sha256sum xsa216* d316e16f8da2078966e9d7d516dd0a9ed5a29c3bc479974374c8fa778859913d xsa216-linux-2.6.18-xen.patch 4440fe324b61baf0f3f5a73352c4d9ac6f94917e216d8421263a5e67445852db xsa216-linux-4.4.patch eb24bfc0303e13e08fd3710463aea139a92a3f83db7f35119c4d3831154a6453 xsa216-linux-4.11.patch b4b8f68fa05d718c5be7023c84d942e43725bcc563ea15556ee9646f6f9bf7e7 xsa216-qemuu.patch 4fc3665ff07ec79fb31ac66a3fd360a45b7ec546c549c04284f0128ad0c5beba xsa216-qemuu-4.5.patch a0e0dfd5ea2643ae14c220124194388017a3656db3e6ce430913cda800c43aad xsa216-qemuu-4.7.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However, deployment of the mitigation is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this produces a guest-visible change which will indicate which component contains the vulnerability. Additionally, distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJZX5IiAAoJEIP+FMlX6CvZdK8IALydeCfUgLpTzeVaRidXkO9M dlChA1fXn5ZRlQxvGGIzatkl2Em99+JfIyW21AoVqFAyIYbYkbV7zmp82HpHAZfB Ib5tFUS4ki1paXXcBtQSvgsz7Sxh5obZnCzyguOcSthZ0/Ude5mh9ImsnKepNxQi GbMBY9xsBv+tclRLiaGUIBgKwtNc0AXpQhWAkbAEWjdYSN2CGsS37Z9Hi0GOoID/ Z49g7/shKDyrHxR1ph0uFqZOkCW8Um3qpORzwHIwpsqleY7Y5E9Ib/QXDOV7wJ1m IDhkSmYf6kXjJ1yhwjRw4UgsGWj/TDyi9d6HxYU9DVHY1b5lWuNjbbyeMuVpR8A= =18b8 -----END PGP SIGNATURE-----