WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] are Xen 3.1.0 kernels CVE-2007-4573 vulnerable

Steven Timm wrote:
> On Thu, 4 Oct 2007, Fajar A. Nugraha wrote:
>
>> I believe kernels compiled for xen 3.0.3 can run on xen 3.1. So if
>> you use :
>> - Xen 3.1
>> - RHEL5 as domU or dom0
>> - same 64-bit or 32-bit for Xen/dom0/domU
>>
>> then you can use RHEL kernels.
>> When you need to run 32 bit domU on the above scenario, I'd prefer to
>> use 64-bit RHEL kernel with 32 bit userland.
>>
>> Regards,
>>
>> Fajar
>>
>
> I guess what I am really trying to get at is the following:
> What, if anything, of the Xen code base is built into
> the kernel rpms that redhat 5 and friends distribute as kernel-xen
> (for instance, kernel-xen-2.6.18-8.1.14.el5, just released
> to patch the vulnerability that started this thread).

Since you're talking about kernel vulnerabilities, you can look at
kernel-2.6.18-8.1.14.el5.src.rpm .src.rpm. In particular, look at the
Changelog and Patch, and you'll see something like

Patch21263:
linux-2.6-x86_64-entry-path-zero-extend-all-registers-after-ptrace.patch

%changelog
* Tue Sep 25 2007 Don Howard <dhoward@xxxxxxxxxx> [2.6.18-8.1.14.el5]
- Revert changes back to 2.6.18-8.1.10.
- [x86_64] Zero extend all registers after ptrace in 32bit entry path
(Anton Arapov ) [297871] {CVE-2007-4573}

It's not Xen-specific, so in regards to this vulnerability nothing from
the Xen codebase is involved.

> Is there anything that's version specific?  Is there anything
> that ties it to xen 3.0.3?  
Source1: xen-%{xen_hv_cset}.tar.bz2

In theory, since Xen-3.1 kernel is also based on 2.6.18, you PROBABLY
could change this one with sources from Xen-3.1, and rebuild the
.src.rpm. Haven't tried it though.

> How can I look at the kernel config
> files and tell the difference, if necessary?
>
> I went and got the kernels from xensource that were compiled with
> xen 3.1.0
Or you could try it the other way around. Use Xen's source tarball,
apply RH's kernel patches, and compile it.

> because people on this list told me that this was required
> to do what I wanted to do, namely 64bit dom0 plus 32bit PAE domU's.
> I understand that a xen 3.0.3-compiled kernel could be a domU in this
> setup but not a dom0.  Is this understanding wrong?
>
RH kernels can run on xen 3.0.3 or xen 3.1, for dom0 or domU, as long as
thy're the same bits (e.g all 64 bit, or all 32bit). Using vendor kernel
has the advantage that they will provide ready-to-use security updates.

Note, however, that xen.gz is included in kernel-xen. This has some
implications :
- On dom0, this means that if you want to use RHEL5 kernel-xen on xen
3.1, you have to manually edit grub.conf to use xen.gz from xen 3.1
instead of the one from kernel-xen.
- On domU, generally you don't have to care whet dom0 is running.
Whether xen 3.0.3 or xen 3.1, you can continue to use RH's kernel-xen.

If you want to use 32bit PAE domU on 64 bit xen/dom0, then you HAVE to
use xen 3.1 domU kernel. Generally I wouldn't bother, I'd simply use
64-bit kernel with 32-bit userland instead.

Regards,

Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users