Information
Advisory | XSA-101 |
Public release | 2014-06-25 12:00 |
Updated | 2014-06-30 14:22 |
Version | 3 |
CVE(s) | CVE-2014-4022 |
Title | information leak via gnttab_setup_table on ARM |
Files
advisory-101.txt (signed advisory file)
xsa101.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2014-4022 / XSA-101
version 3
information leak via gnttab_setup_table on ARM
UPDATES IN VERSION 3
====================
Provide the CVE.
ISSUE DESCRIPTION
=================
When initialising an internal data structure on ARM platform Xen was
not correctly initialising the memory containing the list of a
domain's grant table pages. This list is returned by the
GNTTABOP_setup_table subhypercall, leading to an information leak.
IMPACT
======
Malicious guest administrators can obtain some of the memory contents
of other domains:
Up to 8*max_nr_grant_frames bytes of uninitialised memory can be
leaked to the calling domain. This memory may have been previously
used by either the hypervisor or other guests.
The default max_nr_grant_frames is 32, hence by default 256 bytes may
be leaked in this way. However this can be overridden via the
"gnttab_max_nr_frames" hypervisor command line option.
VULNERABLE SYSTEMS
==================
Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward.
MITIGATION
==========
None.
CREDITS
=======
This issue was discovered by Julien Grall.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa101.patch xen-unstable, Xen 4.4.x
$ sha256sum xsa101*.patch
12ea475265a0804a3a42f620d7065a7408a5ae4b017c871847424c7247c204e9 xsa101.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJTsXKlAAoJEIP+FMlX6CvZAXwH/0Km16VstdF5P72chl3u9BsE
aWLe8Xdb9lmPXiIWM+q2NN+Jp8tL08Ia4fyD1OC5zJqtf6TReI9qsBkzo2O6EfjF
QdTluXrfYgkob0THsDW1Nd86wxy8UBLlz1dwu+jfKkYp9gMQgTtV1NNyrXEOwn1f
vepA/V2kOVss7U5+OXqe10HOm+bK4Qs0vYwu1HnG/y6/I39eP2FXw8jMDSB1pKcJ
1/zBll+R+LVXsQbJbKA6vS9RJiOeMXY1b8y6ThduVuW+bq/RydyqoTb25XPqhHcV
6FaDe3JlncXvpJp4OEaAiHPyBqPRvNgr3WWW16lFGTtlLJdc+43/24WkrLfok6o=
=srxg
-----END PGP SIGNATURE-----
Xenproject.org Security Team