This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] Xen security advisory CVE-2011-1583 - pv kernel image valida

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] Xen security advisory CVE-2011-1583 - pv kernel image validation
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Mon, 9 May 2011 15:08:50 +0100
Delivery-date: Mon, 09 May 2011 07:10:02 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Hash: SHA1

             Xen security advisory CVE-2011-1583
            paravirtualised kernel image validation


Xen.org paravirtualised guest image loading functionality has multiple
errors in the validation and decompression of guest kernels.

Vendors and users are urged to apply the attached patch.  Some
defensive workarounds are available.


 1. Problems

The functions which interpret the kernel image supplied for a
paravirtualised guest, and decompress it into memory when booting the
domain, are incautious.  Specifically:

 (i) Integer overflow in the decompression loop memory allocator might
     result in overrunning the buffer used for the decompressed image;
 (ii) Integer overflows and lack of checking of certain length fields
     can result in the loader reading its own address space beyond the
     size of the supplied kernel image file.
 (iii) Lack of error checking in the decompression loop can lead to an
     infinite loop.

 2. Impact

An attacker who can supply a kernel image to be booted as a
paravirtualised guest might be able to:

 (i) Escalate privilege, taking control of the management domain and
    hence the entire machine.

 (ii) Gain knowledge the contents of memory in the management tools.
   Depending on the toolstack in use this might contain sensitive
   information such as domain management or VNC passwords.

 (iii) Cause an infinite loop in the management software, resulting in
   denial of service (and excessive resource consumption by the
   management domain).

 3. Who is affected, and workarounds

Systems where the guest kernel is provided by untrusted guest
administrators ARE vulnerable; this is the case whether the guest
kernel is provided by ad-hoc or out-of-band means, or via the "pygrub"
tool which automatically finds the kernel in the guest filesystem.

Systems which permit only blessed or approved paravirtualised kernel
images to be used are NOT vulnerable; preventing attackers from
providing hostile kernel images will completely prevent the attacks.

Systems which only run fully virtualised ("HVM") guests are NOT

With respect to each of the three specific issues:

 (i) Only management domains with 32-bit userland are vulnerable.
    The attack can be defeated by running the management tools with a
    virtual address space ulimit of less than 2Gby, for example by
    putting  "ulimit -v 1000000"  in an appropriate point in the
    system startup files.

 (ii) In the xen.org "xend" management toolstack this exposure is
   indeed limited to VNC passwords (and general information about the
   number of running domains); in such systems this attack will be
   complicated to carry out and not likely to be rewarding.

   In the systems using the xen.org "xl" management tool this exposure
   is limited to information about the specific guest in question and
   is therefore very low impact.

 (iii) This attack is very easy to carry out but the impact is low.
   Running VMs are not adversely affected.  There is no known

In theory it might be possible to pre-validate kernel images.  Images
which are accepted and booted by a fixed version of xen are safe to
pass to unfixed versions.

 4. Patch information

The proposed patch is attached.  There are three separate versions:

   cve-2011-1583-4.1.patch        for Xen 4.1
   cve-2011-1583-4.0.patch        for Xen 3.4 and 4.0
   cve-2011-1583-unstable.patch   for the xen-unstable development tree

$ sha256sum cve-2011-1583-*.patch 
$ sha1sum cve-2011-1583-*.patch 
41e2a653313d13a036e30c1c160e402e380bc377  cve-2011-1583-4.0.patch
d2bad52b255d7475709b49420db4ce41b2a108f3  cve-2011-1583-4.1.patch
0b25612d708c71143498d52af276721a4bf1c3fa  cve-2011-1583-unstable.patch

These have been applied and pushed to xen-unstable.hg (23322:d9982136d8fa),
xen-4.1-testing (23042:e2e575f8b5d9) and xen-4.0-testing (21482:c2adc059e931).
It will appear in xen-3.4-testing shortly.

Version: GnuPG v1.4.9 (GNU/Linux)


Attachment: cve-2011-1583-4.1.patch
Description: patch for Xen 4.1

Attachment: cve-2011-1583-4.0.patch
Description: patch for Xen 3.4 and 4.0

Attachment: cve-2011-1583-unstable.patch
Description: Patch for xen-unstable

Xen-devel mailing list
<Prev in Thread] Current Thread [Next in Thread>