Information

Files

Advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-3969 / XSA-98
                              version 5

       insufficient permissions checks accessing guest memory on ARM

UPDATES IN VERSION 5
====================

The issue described in update 4 also affects Xen 4.5 which was not
released at the time of the original advisory.  The extra patch
supplied with version 4 of this advisory is for Xen 4.5.x (as well as
4.4.x and xen-unstable).

Added credits for updated issue.

UPDATES IN VERSION 4
====================

Supply an additional patch for arm64. The original patches had the
permissions check backwards, meaning that a guest could read a
write-only mapping and vice versa, rendering the original fix
ineffective an inparticular not closing down the ability for a guest
to write to a readonly page via the hypervisor.

This issue was discussed on a public IRC channel and therefore it has
been agreed with the discoverer that it should not subject to a new
embargo.

32-bit ARM systems are not affected by this mistake; the original fix
remains correct for 32-bit.

ISSUE DESCRIPTION
=================

When accessing guest memory Xen does not correctly perform permissions
checks on the (possibly guest provided) virtual address: it only
checks that the mapping is readable by the guest, even when writing on
behalf of the guest.  This allows a guest to write to memory which
it should only be able to read.

A guest running on a vulnerable system is able to write to memory
which should be read-only.  This includes supposedly read only foreign
mappings established using the grant table mechanism.  Such read-only
mappings are commonly used as part of the paravirtualised I/O drivers
(such as guest disk write and network transmit).

In order to exploit this vulnerability the guest must have a mapping
of the memory; it does not allow access to arbitrary addresses.

In the event that a guest executes code from a page which has been
shared read-only with another guest it would be possible to mount a
take over attack on that guest.

IMPACT
======

A domain which is deliberately exchanging data with another,
malicious, domain, may be vulnerable to privilege escalation.  The
vulnerability depends on the precise behaviour of the victim domain.

In a typical configuration this means that, depending on the behaviour
of the toolstack or device driver domain, a malicious guest
administrator might be able to escalate their privilege to that of the
whole host.

VULNERABLE SYSTEMS
==================

Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward.

MITIGATION
==========

None.

CREDITS
=======

This issue was discovered by Julien Grall.

The additional issue reported in update 4 was discovered by Tamas K
Lengyel.

RESOLUTION
==========

Applying the appropriate pair of attached patches along with the
additional update resolves this issue.

xsa98-unstable-{01,02}.patch        xen-unstable
xsa98-4.4-{01,02}.patch             Xen 4.4.x
xsa98-update.patch                  Additional update for unstable, 4.5.x and 4.4.x

$ sha256sum xsa98*.patch
b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb  xsa98-unstable-01.patch
f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67  xsa98-unstable-02.patch
6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b  xsa98-4.4-01.patch
b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d  xsa98-4.4-02.patch
8bb4a23174c0c9b1a23a41d4669900877483fd526d331d0c377c32845feb2eb8  xsa98-update.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJVAwlFAAoJEIP+FMlX6CvZBGMH/1qZuF20x5mfSn9TPDXJZrU4
dc6Jab7VDISnfy2CkLPsyLeaOolWm34HgP0a+vggInuxtKmo7TIvoJBUVi6ndsJI
mqSWsoUvOl6PthAB1/4WNH2e/wySxBLFEwQWnUZRXxW32LrQzb+rVcJvvHjZiYKR
p7NYKYklCZDKhmX5DdANjO1RDg561UnenEMsgUbOdyjsk2s8o+/ni927ZUzhnxQe
NY9LqpgOyjBLb+5tStq2v03A+ax7mgzRMQLYlWsuY+Vt08HQsPuEPxN9JNkpmEwb
A46OICRNMEwzKmt6ZKpYJSibiffHAMm5aeRd2SalpUjlIAg67H/LHf0vV/4bJ9o=
=igf6
-----END PGP SIGNATURE-----