|
|
|
|
|
|
|
|
|
|
xen-devel
[Xen-devel] Xen security advisory CVE-2011-1583 - pv kernel image valida
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen security advisory CVE-2011-1583
paravirtualised kernel image validation
SUMMARY
=======
Xen.org paravirtualised guest image loading functionality has multiple
errors in the validation and decompression of guest kernels.
Vendors and users are urged to apply the attached patch. Some
defensive workarounds are available.
ISSUE DESCRIPTION
=================
1. Problems
-----------
The functions which interpret the kernel image supplied for a
paravirtualised guest, and decompress it into memory when booting the
domain, are incautious. Specifically:
(i) Integer overflow in the decompression loop memory allocator might
result in overrunning the buffer used for the decompressed image;
(ii) Integer overflows and lack of checking of certain length fields
can result in the loader reading its own address space beyond the
size of the supplied kernel image file.
(iii) Lack of error checking in the decompression loop can lead to an
infinite loop.
2. Impact
---------
An attacker who can supply a kernel image to be booted as a
paravirtualised guest might be able to:
(i) Escalate privilege, taking control of the management domain and
hence the entire machine.
(ii) Gain knowledge the contents of memory in the management tools.
Depending on the toolstack in use this might contain sensitive
information such as domain management or VNC passwords.
(iii) Cause an infinite loop in the management software, resulting in
denial of service (and excessive resource consumption by the
management domain).
3. Who is affected, and workarounds
-----------------------------------
Systems where the guest kernel is provided by untrusted guest
administrators ARE vulnerable; this is the case whether the guest
kernel is provided by ad-hoc or out-of-band means, or via the "pygrub"
tool which automatically finds the kernel in the guest filesystem.
Systems which permit only blessed or approved paravirtualised kernel
images to be used are NOT vulnerable; preventing attackers from
providing hostile kernel images will completely prevent the attacks.
Systems which only run fully virtualised ("HVM") guests are NOT
vulnerable.
With respect to each of the three specific issues:
(i) Only management domains with 32-bit userland are vulnerable.
The attack can be defeated by running the management tools with a
virtual address space ulimit of less than 2Gby, for example by
putting "ulimit -v 1000000" in an appropriate point in the
system startup files.
(ii) In the xen.org "xend" management toolstack this exposure is
indeed limited to VNC passwords (and general information about the
number of running domains); in such systems this attack will be
complicated to carry out and not likely to be rewarding.
In the systems using the xen.org "xl" management tool this exposure
is limited to information about the specific guest in question and
is therefore very low impact.
(iii) This attack is very easy to carry out but the impact is low.
Running VMs are not adversely affected. There is no known
workaround.
In theory it might be possible to pre-validate kernel images. Images
which are accepted and booted by a fixed version of xen are safe to
pass to unfixed versions.
4. Patch information
--------------------
The proposed patch is attached. There are three separate versions:
cve-2011-1583-4.1.patch for Xen 4.1
cve-2011-1583-4.0.patch for Xen 3.4 and 4.0
cve-2011-1583-unstable.patch for the xen-unstable development tree
$ sha256sum cve-2011-1583-*.patch
f51b774eec945c48a0e91ed17df3cee07027d64c7e7c5783f7446507dbcc201b
cve-2011-1583-4.0.patch
2a54dbb1984a966e8d90da9f4fb10c30ff197d13603943c38488122044bb977d
cve-2011-1583-4.1.patch
0299618a56c9ad86d41a1d9879cb373bdef5105592f9a1f2390af3bf94c404be
cve-2011-1583-unstable.patch
$ sha1sum cve-2011-1583-*.patch
41e2a653313d13a036e30c1c160e402e380bc377 cve-2011-1583-4.0.patch
d2bad52b255d7475709b49420db4ce41b2a108f3 cve-2011-1583-4.1.patch
0b25612d708c71143498d52af276721a4bf1c3fa cve-2011-1583-unstable.patch
$
These have been applied and pushed to xen-unstable.hg (23322:d9982136d8fa),
xen-4.1-testing (23042:e2e575f8b5d9) and xen-4.0-testing (21482:c2adc059e931).
It will appear in xen-3.4-testing shortly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iJwEAQECAAYFAk3H9S4ACgkQQz2i6ICVfYNB1wP/WtYetJRpVe+pWr9Ys7j51cGS
D8tPY4GUaVMEzJ8G0In4ic9cmo/T7CvLuZgXlngzHnPj+BmXzwlY511qSmLFAguM
PhuC1Hx49sBiIh0ZPymv1O8DIgesrUdWVjEmfAhXkwqP2jo7H7SUSAYRyRgoJOQe
vxHz7uopMFjg+yLx3o4=
=4vr6
-----END PGP SIGNATURE-----
cve-2011-1583-4.1.patch
Description: patch for Xen 4.1
cve-2011-1583-4.0.patch
Description: patch for Xen 3.4 and 4.0
cve-2011-1583-unstable.patch
Description: Patch for xen-unstable
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Xen-devel] Xen security advisory CVE-2011-1583 - pv kernel image validation,
Ian Jackson <=
|
|
|
|
|