Information

AdvisoryXSA-55
Public release 2013-06-03 16:18
Updated 2013-06-20 10:26
Version 5
CVE(s) CVE-2013-2194 CVE-2013-2195 CVE-2013-2196
Title Multiple vulnerabilities in libelf PV kernel handling

Files

advisory-55.txt (signed advisory file)

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  Xen Security Advisory CVE-2013-2194,CVE-2013-2195,CVE-2013-2196 / XSA-55
                             version 5

           Multiple vulnerabilities in libelf PV kernel handling

UPDATES IN VERSION 5
====================

CVE numbers have been assigned.

ISSUE DESCRIPTION
=================

The ELF parser used by the Xen tools to read domains' kernels and
construct domains has multiple integer overflows, pointer dereferences
based on calculations from unchecked input values, and other problems.

This corresponds to the following CVEs:
  CVE-2013-2194 XEN XSA-55 integer overflows
  CVE-2013-2195 XEN XSA-55 pointer dereferences
  CVE-2013-2196 XEN XSA-55 other problems

IMPACT
======

A malicious PV domain administrator who can specify their own kernel
can escalate their privilege to that of the domain construction tools
(i.e., normally, to control of the host).

Additionally a malicious HVM domain administrator who is able to
supply their own firmware ("hvmloader") can do likewise; however we
think this would be very unusual and it is unlikely that such
configurations exist in production systems.

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

Installations which only allow the use of trustworthy kernels for PV
domains are not affected.

MITIGATION
==========

Ensuring that PV guests use only trustworthy kernels will avoid this
problem.

RESOLUTION
==========

Applying the appropriate patch series will resolve this issue.

These were attached to v3 of the advisory which can be found here:
  http://lists.xen.org/archives/html/xen-devel/2013-06/msg01626.html

These are available in xen.git
   http://xenbits.xen.org/gitweb/?p=xen.git
   git://xenbits.xen.org/xen.git
   http://xenbits.xen.org/git-http/xen.git
in the git changesets listed below.

xen-unstable:

82cb4113b6ace16de192021de20f6cbd991e478f libxc: Better range check in xc_dom_alloc_segment
966070058d02cce9684e30073b61d6465e4b351c libxc: check blob size before proceeding in xc_dom_check_gzip
de7911eaef98b6643d80e4612fe4dcd4528d15b9 libxc: range checks in xc_dom_p2m_host and _guest
3d5a1d4733e55e33521cd5004cab1313e5c5d5ff libxc: check return values from malloc
aaebaba5ae225f591e0602e071037a935bb281b6 libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range
2bcee4b3c316379f4b52cb308947eb6db3faf1a0 libxc: Add range checking to xc_dom_binloader
66fe2726fe8492676f9970b9c2c511bce6186ece libelf: abolish obsolete macros
39bf7b9d0ae534491745e54df5232127c0bddaf1 libelf: check loops for running away
a004800f8fc607b96527815c8e3beabcb455d8e0 libelf: use only unsigned integers
7a549a6aa04dba807f8dd4c1577ab6a7592c4c76 libelf: use C99 bool for booleans
c84481fbc7de7d15ff7476b3b9cd2713f81feaa3 libelf: Make all callers call elf_check_broken
943de71cf07d9d04ccb215bd46153b04930e9f25 libelf: Check pointer references in elf_is_elfbinary
65808a8ed41cc7c044f588bd6cab5af0fdc0e029 libelf: check all pointer accesses
04877847ade4ac9216e9f408fd544ade8f90cf9a libelf: check nul-terminated strings properly
50421bd56bf164f490d7d0bf5741e58936de41e8 tools/xcutils/readnotes: adjust print_l1_mfn_valid_note
85256359995587df00001dca22e9a76ba6ea8258 libelf: introduce macros for memory access and pointer handling
95dd49bed681af93f71a401b0a35bf2f917c6e68 libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised
f7aa72ec00aec71eed055dac5e8a151966d75c9c libelf: move include of <asm/guest_access.h> to top of file
13e2c808f7ea721c8f200062e2b9b977ee924471 libelf: abolish elf_sval and elf_access_signed
009ddca51504ce80889937e485d44ac0f9290d63 libelf: add `struct elf_binary*' parameter to elf_load_image
b5a869209998fedadfe205d37addbd50a802998b libxc: Fix range checking in xc_dom_pfn_to_ptr etc.
53bfcf585b09eb4ac2240f89d1ade77421cd2451 libxc: introduce xc_dom_seg_to_ptr_pages
14573b974850d82de7aebad17e6471d27d847f2c libelf: abolish libelf-relocate.c

Xen 4.2.x:

d21d36e84354c04638b60a739a5f7c3d9f8adaf8 libxc: Better range check in xc_dom_alloc_segment
2a548e22915535ac13694eb38222903bca7245e3 libxc: check blob size before proceeding in xc_dom_check_gzip
052a689aa526ca51fd70528d4b0f83dfb2de99c1 libxc: range checks in xc_dom_p2m_host and _guest
8dc90d163650ce8aa36ae0b46debab83cc61edb6 libxc: check return values from malloc
77c0829fa751f052f7b8ec08287aef6e7ba97bc5 libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range
b06e277b1fc08c7da3befeb3ac3950e1d941585d libxc: Add range checking to xc_dom_binloader
3baaa4ffcd3e7dd6227f9bdf817f90e5b75aeda2 libelf: abolish obsolete macros
52d8cc2dd3bb3e0f6d51e00280da934e8d91653a libelf: check loops for running away
e673ca50127b6c1263727aa31de0b8bb966ca7a2 libelf: use only unsigned integers
3fb6ccf2faccaf5e22e33a3155ccc72d732896d8 libelf: use C99 bool for booleans
a965b8f80388603d439ae2b8ee7b9b018a079f90 libelf: Make all callers call elf_check_broken
d0790bdad7496e720416b2d4a04563c4c27e7b95 libelf: Check pointer references in elf_is_elfbinary
cc8761371aac432318530c2ddfe2c8234bc0621f libelf: check all pointer accesses
db14d5bd9b6508adfcd2b910f454fae12fa4ba00 libelf: check nul-terminated strings properly
59f66d58180832af6b99a9e4489031b5c2f627ab tools/xcutils/readnotes: adjust print_l1_mfn_valid_note
40020ab55a1e9a1674ddecdb70299fab4fe8579d libelf: introduce macros for memory access and pointer handling
de9089b449d2508b1ba05590905c7ebaee00c8c4 libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised
682a04488e7b3bd6c3448ab60599566eb7c6177a libelf: move include of <asm/guest_access.h> to top of file
83ec905922b496e1a5756e3a88405eb6c2c6ba88 libelf: abolish elf_sval and elf_access_signed
035634047d10c678cbb8801c4263747bdaf4e5b1 libelf: add `struct elf_binary*' parameter to elf_load_image
8c738fa5c1f3cfcd935b6191b3526f7ac8b2a5bd libxc: Fix range checking in xc_dom_pfn_to_ptr etc.
a672da4b2d58ef12be9d7407160e9fb43cac75d9 libxc: introduce xc_dom_seg_to_ptr_pages
9737484becab4a25159f1e985700eaee89690d34 libelf: abolish libelf-relocate.c

Xen 4.1.x:

ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978 libxc: check blob size before proceeding in xc_dom_check_gzip
6eca85d5c144ee8c899ee3cf8791f9087b15f2e8 libxc: range checks in xc_dom_p2m_host and _guest
a2986a7959919bc748784bb75970bfbd42697d3b libxc: check return values from malloc
117a538dbef62f8d39159dea652e633e01b50a9a libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range
40b76f1fb04af421c1415f7bcb168dfaa6960d0d libxc: Add range checking to xc_dom_binloader
4a3a60d8caee49af6951a672c55b08436a8d1f86 libelf: abolish obsolete macros
968c0399159c65e24bb8b9969259e18791e1f4d8 libelf: check loops for running away
282188ea84b9e0f9c4865f0609e7740f2f28e7b0 libxc: Introduce xc_bitops.h
86e39ce58e91fe55d4fdbc914cb1955c45acc20e libelf: use only unsigned integers
bd3dba9f435fa59f305407f7d9b34e1e164ddd98 libelf: use C99 bool for booleans
44c74b1ed31c75ed9026abf62ab7427a46d8027a libelf: Make all callers call elf_check_broken
9962d7ffcce97ec2d69a15ef861996b1ead33694 libelf: Check pointer references in elf_is_elfbinary
39923542bb43e67776c4e8292d4a5a1adef2bd3b libelf: check all pointer accesses
8ce60b35beaac91a97b79c004ca6bf5d58e7390b libelf: check nul-terminated strings properly
4e46085972d2367dff2345a73361c1c17b47ce73 tools/xcutils/readnotes: adjust print_l1_mfn_valid_note
de49d6e83c3a8c753646b007972140ddbb746ba8 libelf: introduce macros for memory access and pointer handling
4d3339de1fe3cbf7b05487fdb6cadd7267950948 libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised
e719b136b750e5eee87c4647d1846e4e1e70eac0 libelf: abolish elf_sval and elf_access_signed
f7fb94409c562beec06094141ef262dc85f28dac libxc: Fix range checking in xc_dom_pfn_to_ptr etc.
bbf40e6b6d47809f4289a866d7d167c25104ecc0 libxc: introduce xc_dom_seg_to_ptr_pages
64a0206c451920b72a9c5721a6f2427baf99e3dd libelf: abolish libelf-relocate.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRwticAAoJEIP+FMlX6CvZFbEIAMjbI64TpgYSm3cRSFmdHol/
FC2d4mo/aeb8e24RCTnJvxP3oE+o1Oar5FGJi+AATDynzbqcuv7yK7iDQ9ZfwGm5
xZR+knkFKymWLsutb8uhDRT8eYCgmK8aQEXorvcjr69sxrxJascPGv4aHesNihxO
t4tRqRbqGhAzkm9Gm32LaVz3UYCW2ZRs4lxDBjtW5HmsugaOarCYNTqSpftAiAkn
XE8UChNUVO95PAJKRtmihLQ+TGJ9cyujBACrl6RsxdD8JZU6EP4rq7fccdzyqD6D
+c5pw859mtukyy56fwfP5Ji6G9O2VrrZyf4kq13V74SPZ/LV3VKDalfaVVItLGQ=
=RVh5
-----END PGP SIGNATURE-----


Xenproject.org Security Team