Information

AdvisoryXSA-159
Public release 2015-12-08 11:29
Updated 2015-12-08 11:29
Version 4
CVE(s) CVE-2015-8339 CVE-2015-8340
Title XENMEM_exchange error handling issues

Files

advisory-159.txt (signed advisory file)
xsa159.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

     Xen Security Advisory CVE-2015-8339,CVE-2015-8340 / XSA-159
                              version 4

                 XENMEM_exchange error handling issues

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

Error handling in the operation may involve handing back pages to
the domain. This operation may fail when in parallel the domain gets
torn down. So far this failure unconditionally resulted in the host
being brought down due to an internal error being assumed. This is
CVE-2015-8339.

Furthermore error handling so far wrongly included the release of a
lock. That lock, however, was either not acquired or already released
on all paths leading to the error handling sequence. This is
CVE-2015-8340.

IMPACT
======

A malicious guest administrator may be able to deny service by
crashing the host or causing a deadlock.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Older
versions have not been inspected.

MITIGATION
==========

The vulnerability can be avoided if the guest kernel is controlled by
the host rather than guest administrator, provided that further steps
are taken to prevent the guest administrator from loading code into
the kernel (e.g. by disabling loadable modules etc) or from using
other mechanisms which allow them to run code at kernel privilege.  In
Xen HVM, controlling the guest's kernel would involve locking down the
bootloader.

CREDITS
=======

This issue was discovered by Julien Grall of Citrix and
Jan Beulich of SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa159.patch      xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x

$ sha256sum xsa159*
05c35871c1430e9cfdbee049411b23fca6c64c5bc9f112d7508afe5cbd289cef  xsa159.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWZr8HAAoJEIP+FMlX6CvZXp8IAMNhe/G7435bJNiwMbWIT6vt
8piJPArKxhd3yohEiAx0wG7BXTQ7ockAKFCjdSL8ZGPQuaxwuYrdm4wH14ucxRY6
wgHyU2766g5VuP1bJ1eU/XxZpNGWCqDQaaMzbwQLKVO7rhsZc14txY2nYFZ5cvLT
nMDR8rfcNSeGMSCzg9vrdnFhmmslT797fgRXrCnZ2+bEDerTiYu5nDlS+aIZPiSt
WwKbiYN/RJLIo4EThvYfPdbm9SPeSdNYNUws2MVkl50x2h4hm33eqKDNxAtUMgDq
CZzHQGCMjAtrhK/64AQePiXRHO4SHYbX4FmeO9Yrkbgf971PqpEYed79UJ2a0SA=
=sIvq
-----END PGP SIGNATURE-----


Xenproject.org Security Team