WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Xen security advisory CVE-2011-1583 - pv kernel image valida

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] Xen security advisory CVE-2011-1583 - pv kernel image validation
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Mon, 9 May 2011 15:08:50 +0100
Delivery-date: Mon, 09 May 2011 07:10:02 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen security advisory CVE-2011-1583
            paravirtualised kernel image validation

SUMMARY
=======

Xen.org paravirtualised guest image loading functionality has multiple
errors in the validation and decompression of guest kernels.

Vendors and users are urged to apply the attached patch.  Some
defensive workarounds are available.

ISSUE DESCRIPTION
=================

 1. Problems
 -----------

The functions which interpret the kernel image supplied for a
paravirtualised guest, and decompress it into memory when booting the
domain, are incautious.  Specifically:

 (i) Integer overflow in the decompression loop memory allocator might
     result in overrunning the buffer used for the decompressed image;
 (ii) Integer overflows and lack of checking of certain length fields
     can result in the loader reading its own address space beyond the
     size of the supplied kernel image file.
 (iii) Lack of error checking in the decompression loop can lead to an
     infinite loop.

 2. Impact
 ---------

An attacker who can supply a kernel image to be booted as a
paravirtualised guest might be able to:

 (i) Escalate privilege, taking control of the management domain and
    hence the entire machine.

 (ii) Gain knowledge the contents of memory in the management tools.
   Depending on the toolstack in use this might contain sensitive
   information such as domain management or VNC passwords.

 (iii) Cause an infinite loop in the management software, resulting in
   denial of service (and excessive resource consumption by the
   management domain).

 3. Who is affected, and workarounds
 -----------------------------------

Systems where the guest kernel is provided by untrusted guest
administrators ARE vulnerable; this is the case whether the guest
kernel is provided by ad-hoc or out-of-band means, or via the "pygrub"
tool which automatically finds the kernel in the guest filesystem.

Systems which permit only blessed or approved paravirtualised kernel
images to be used are NOT vulnerable; preventing attackers from
providing hostile kernel images will completely prevent the attacks.

Systems which only run fully virtualised ("HVM") guests are NOT
vulnerable.

With respect to each of the three specific issues:

 (i) Only management domains with 32-bit userland are vulnerable.
    The attack can be defeated by running the management tools with a
    virtual address space ulimit of less than 2Gby, for example by
    putting  "ulimit -v 1000000"  in an appropriate point in the
    system startup files.

 (ii) In the xen.org "xend" management toolstack this exposure is
   indeed limited to VNC passwords (and general information about the
   number of running domains); in such systems this attack will be
   complicated to carry out and not likely to be rewarding.

   In the systems using the xen.org "xl" management tool this exposure
   is limited to information about the specific guest in question and
   is therefore very low impact.

 (iii) This attack is very easy to carry out but the impact is low.
   Running VMs are not adversely affected.  There is no known
   workaround.

In theory it might be possible to pre-validate kernel images.  Images
which are accepted and booted by a fixed version of xen are safe to
pass to unfixed versions.


 4. Patch information
 --------------------

The proposed patch is attached.  There are three separate versions:

   cve-2011-1583-4.1.patch        for Xen 4.1
   cve-2011-1583-4.0.patch        for Xen 3.4 and 4.0
   cve-2011-1583-unstable.patch   for the xen-unstable development tree

$ sha256sum cve-2011-1583-*.patch 
f51b774eec945c48a0e91ed17df3cee07027d64c7e7c5783f7446507dbcc201b  
cve-2011-1583-4.0.patch
2a54dbb1984a966e8d90da9f4fb10c30ff197d13603943c38488122044bb977d  
cve-2011-1583-4.1.patch
0299618a56c9ad86d41a1d9879cb373bdef5105592f9a1f2390af3bf94c404be  
cve-2011-1583-unstable.patch
$ sha1sum cve-2011-1583-*.patch 
41e2a653313d13a036e30c1c160e402e380bc377  cve-2011-1583-4.0.patch
d2bad52b255d7475709b49420db4ce41b2a108f3  cve-2011-1583-4.1.patch
0b25612d708c71143498d52af276721a4bf1c3fa  cve-2011-1583-unstable.patch
$

These have been applied and pushed to xen-unstable.hg (23322:d9982136d8fa),
xen-4.1-testing (23042:e2e575f8b5d9) and xen-4.0-testing (21482:c2adc059e931).
It will appear in xen-3.4-testing shortly.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iJwEAQECAAYFAk3H9S4ACgkQQz2i6ICVfYNB1wP/WtYetJRpVe+pWr9Ys7j51cGS
D8tPY4GUaVMEzJ8G0In4ic9cmo/T7CvLuZgXlngzHnPj+BmXzwlY511qSmLFAguM
PhuC1Hx49sBiIh0ZPymv1O8DIgesrUdWVjEmfAhXkwqP2jo7H7SUSAYRyRgoJOQe
vxHz7uopMFjg+yLx3o4=
=4vr6
-----END PGP SIGNATURE-----

Attachment: cve-2011-1583-4.1.patch
Description: patch for Xen 4.1

Attachment: cve-2011-1583-4.0.patch
Description: patch for Xen 3.4 and 4.0

Attachment: cve-2011-1583-unstable.patch
Description: Patch for xen-unstable

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
<Prev in Thread] Current Thread [Next in Thread>