Advisories ยป MGASA-2016-0098

Updated xen packages fix security vulnerabilities

Publication date: 07 Mar 2016
Modification date: 07 Mar 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-0268 , CVE-2015-1563 , CVE-2015-2044 , CVE-2015-2045 , CVE-2015-2150 , CVE-2015-2151 , CVE-2015-2152 , CVE-2015-2751 , CVE-2015-2752 , CVE-2015-2756 , CVE-2015-3209 , CVE-2015-3259 , CVE-2015-3340 , CVE-2015-3456 , CVE-2015-4103 , CVE-2015-4104 , CVE-2015-4105 , CVE-2015-4106 , CVE-2015-4163 , CVE-2015-4164 , CVE-2015-5154 , CVE-2015-5165 , CVE-2015-5166 , CVE-2015-5307 , CVE-2015-6654 , CVE-2015-7311 , CVE-2015-7504 , CVE-2015-7812 , CVE-2015-7813 , CVE-2015-7814 , CVE-2015-7835 , CVE-2015-7969 , CVE-2015-7970 , CVE-2015-7971 , CVE-2015-7972 , CVE-2015-8104 , CVE-2015-8338 , CVE-2015-8339 , CVE-2015-8340 , CVE-2015-8550 , CVE-2015-8555 , CVE-2016-1570 , CVE-2016-1571 , CVE-2016-2270 , CVE-2016-2271

Description

This xen update is based on upstream 4.5.2 maintenance release, and fixes the
following security issues:

The vgic_v2_to_sgi function in arch/arm/vgic-v2.c in Xen 4.5.x, when running
on ARM hardware with general interrupt controller (GIC) version 2, allows
local guest users to cause a denial of service (host crash) by writing an
invalid value to the GICD.SGIR register (CVE-2015-0268).

The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows local
guests to cause a denial of service by causing a large number messages to
be logged (CVE-2015-1563).

The emulation routines for unspecified X86 devices in Xen 3.2.x through
4.5.x does not properly initialize data, which allow local HVM guest users
to obtain sensitive information via vectors involving an unsupported access
size (CVE-2015-2044).

The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not
properly initialize data structures, which allows local guest users to
obtain sensitive information via unspecified vectors (CVE-2015-2045).

Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly
restrict access to PCI command registers, which might allow local guest
users to cause a denial of service (non-maskable interrupt and host crash)
by disabling the (1) memory or (2) I/O decoding for a PCI Express device
and then accessing the device, which triggers an Unsupported Request (UR)
response (CVE-2015-2150).

The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment
overrides for instructions with register operands, which allows local guest
users to obtain sensitive information, cause a denial of service (memory
corruption), or possibly execute arbitrary code via unspecified vectors
(CVE-2015-2151).

Xen 4.5.x and earlier enables certain default backends when emulating a VGA
device for an x86 HVM guest qemu even when the configuration disables them,
which allows local guest users to obtain access to the VGA console by (1)
setting the DISPLAY environment variable, when compiled with SDL support,
or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not
compiled with SDL support (CVE-2015-2152).

Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allows
remote domains with partial management control to cause a denial of service
(host lock) via unspecified domctl operations (CVE-2015-2751). 

The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when
using a PCI passthrough device, is not preemptable, which allows local x86
HVM domain users to cause a denial of service (host CPU consumption) via
a crafted request to the device model (qemu-dm) (CVE-2015-2752).

QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access
to PCI command registers, which might allow local HVM guest users to cause
a denial of service (non-maskable interrupt and host crash) by disabling
the (1) memory or (2) I/O decoding for a PCI Express device and then
accessing the device, which triggers an Unsupported Request (UR) response
(CVE-2015-2756).

Heap-based buffer overflow in the PCNET controller in QEMU allows remote
attackers to execute arbitrary code by sending a packet with
TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS
set (CVE-2015-3209).

Stack-based buffer overflow in the xl command line utility in Xen 4.1.x
through 4.5.x allows local guest administrators to gain privileges via a
long configuration argument (CVE-2015-3259).

Xen 4.2.x through 4.5.x does not initialize certain fields, which allows
certain remote service domains to obtain sensitive information from memory
via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request
(CVE-2015-3340).

The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier
and KVM, allows local guest users to cause a denial of service (out-of-bounds
write and guest crash) or possibly execute arbitrary code via the (1)
FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified
commands, aka VENOM (CVE-2015-3456).

Xen 3.3.x through 4.5.x does not properly restrict write access to the host
MSI message data field, which allows local x86 HVM guest administrators
cause a denial of service (host interrupt handling confusion) via vectors
related to qemu and accessing spanning multiple fields (CVE-2015-4103).

Xen 3.3.x through 4.5.x does not properly restrict access to PCI MSI mask
bits, which allows local x86 HVM guest users to cause a denial of service
(unexpected interrupt and host crash) via unspecified vectors 
(CVE-2015-4104).

Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error
messages, which allows local x86 HVM guests to cause a denial of service
(host disk consumption) via certain invalid operations (CVE-2015-4105).

QEMU does not properly restrict write access to the PCI config space for
certain PCI pass-through devices, which mighy allow local x86 HVM guests
to gain privileges, cause a denial of service (host crash), obtain
sensitive information, or possibly have other unspecified impact via
unknown vectors (CVE-2015-4106).

GNTTABOP_swap_grant_ref in Xen 4.2 through 4.5 does not check the grant
table operation version, which allows local guest domains to cause a
denial of service (NULL pointer dereference) via a hypercall without a
GNTTABOP_setup_table or GNTTABOP_set_version (CVE-2015-4163).

The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way
through a loop, which allows local 32-bit PV guest administrators to cause
a denial of service (large loop and system hang) via a hypercall_iret call
with EFLAGS.VM set (CVE-2015-4164).

Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen
4.5.x and earlier, when the container has a CDROM drive enabled, allows
local guest users to execute arbitrary code on the host via unspecified
ATAPI commands (CVE-2015-5154).

The C+ mode offload emulation in the RTL8139 network card device model in
QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read
process heap memory via unspecified vectors (CVE-2015-5165).

Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not
completely unplug emulated block devices, which allows local HVM guest
users to gain privileges by unplugging a block device twice (CVE-2015-5166).

A guest to host DoS issue was found affecting various hypervisors. In that,
a guest can DoS the host by triggering an infinite stream of "alignment
check" (#AC) exceptions. This causes the microcode to enter an infinite loop
where the core never receives another interrupt. The host kernel panics due
to this effect (CVE-2015-5307).

The xenmem_add_to_physmap_one function in arch/arm/mm.c in Xen 4.5.x,
4.4.x, and earlier does not limit the number of printk console messages
when reporting a failure to retrieve a reference on a foreign page, which
allows remote domains to cause a denial of service by leveraging
permissions to map the memory of a foreign guest (CVE-2015-6654).

libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag
on disks when using the qemu-xen device model, which allows local guest
users to write to a read-only disk image (CVE-2015-7311).

A heap-based buffer overflow flaw was discovered in the way QEMU's AMD
PC-Net II Ethernet Controller emulation received certain packets in
loopback mode. A privileged user (with the CAP_SYS_RAWIO capability)
inside a guest could use this flaw to crash the host QEMU process
(resulting in denial of service) or, potentially, execute arbitrary
code with privileges of the host QEMU process (CVE-2015-7504).

Multicall support for arm in xen 4.4.x and later was not correctly set
up with correct functionality and therefore exposed to guests a code path
which crashes the host. Any guest can issue a preemptable hypercall via the
multicall interface to exploit this vulnerability (CVE-2015-7812).

Xen 4.4.x, 4.5.x, and 4.6.x does not limit the number of printk console
messages when reporting unimplemented hypercalls, which allows local guests
to cause a denial of service via a sequence of (1) HYPERVISOR_physdev_op
hypercalls, which are not properly handled in the do_physdev_op function
in arch/arm/physdev.c, or (2) HYPERVISOR_hvm_op hypercalls, which are not
properly handled in the do_hvm_op function in arch/arm/hvm.c (CVE-2015-7813).

Race condition in the relinquish_memory function in arch/arm/domain.c in
Xen 4.6.x and earlier allows local domains with partial management control
to cause a denial of service (host crash) via vectors involving the
destruction of a domain and using XENMEM_decrease_reservation to reduce
the memory of the domain (CVE-2015-7814).

The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does
not properly validate level 2 page table entries, which allows local PV
guest administrators to gain privileges via a crafted superpage mapping
(CVE-2015-7835).

Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest
administrators or domains with certain permission to cause a denial of
service (memory consumption) via a large number of "teardowns" of domains
with the vcpu pointer array allocated using the (1) XEN_DOMCTL_max_vcpus
hypercall or the xenoprofile state vcpu pointer array allocated using the
(2) XENOPROF_get_buffer or (3) XENOPROF_set_passive hypercall
(CVE-2015-7969).

The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x,
3.5.x, and 3.6.x is not preemptible, which allows local x86 HVM guest
administrators to cause a denial of service (CPU consumption and possibly
reboot) via crafted memory contents that triggers a "time-consuming linear
scan," related to Populate-on-Demand (CVE-2015-7970).

Xen 3.2.x through 4.6.x does not limit the number of printk console messages
when logging certain pmu and profiling hypercalls, which allows local guests
to cause a denial of service via a sequence of crafted (1) 
HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the 
do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op
hypercalls, which are not properly handled in the do_xenpmu_op function in
arch/x86/cpu/vpmu.c (CVE-2015-7971).

The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) 
libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through
4.6.x do not properly calculate the balloon size when using the
populate-on-demand (PoD) system, which allows local HVM guest users to
cause a denial of service (guest crash) via unspecified vectors related
to "heavy memory pressure." (CVE-2015-7972)

A guest to host DoS issue was found affecting various hypervisors. In that,
a guest can DoS the host by triggering an infinite stream of "debug check"
(#DB) exceptions. This causes the microcode to enter an infinite loop where
the core never receives another interrupt. The host kernel panics due to
this effect (CVE-2015-8104).

Xen 4.6.x and earlier does not properly enforce limits on page order inputs
for the (1) XENMEM_increase_reservation, (2) XENMEM_populate_physmap,
(3) XENMEM_exchange, and possibly other HYPERVISOR_memory_op suboperations,
which allows ARM guest OS administrators to cause a denial of service (CPU
consumption, guest reboot, or watchdog timeout and host reboot) and possibly
have unspecified other impact via unknown vectors (CVE-2015-8338).

The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x
does not properly hand back pages to a domain, which might allow guest OS
administrators to cause a denial of service (host crash) via unspecified
vectors related to domain teardown (CVE-2015-8339).

The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x
does not properly release locks, which might allow guest OS administrators
to cause a denial of service (deadlock or host crash) via unspecified
vectors, related to XENMEM_exchange error handling (CVE-2015-8340).

Felix Wilhelm discovered a race condition in the Xen paravirtualized
drivers which can cause double fetch vulnerabilities. An attacker in the
paravirtualized guest could exploit this flaw to cause a denial of service
(crash the host) or potentially execute arbitrary code on the host
(CVE-2015-8550).

Information leak in legacy x86 FPU/XMM initialization (CVE-2015-8555).

The PV superpage functionality lacks certain validity checks on data
being passed to the hypervisor by guests.  This is the case for the
page identifier (MFN) passed to MMUEXT_MARK_SUPER and
MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as
well as for various forms of page table updates. Use of the feature,
which is disabled by default, may have unknown effects, ranging from
information leaks through Denial of Service to privilege escalation.
(CVE-2016-1570)

While INVLPG does not cause a General Protection Fault when used on a
non-canonical address, INVVPID in its "individual address" variant,
which is used to back the intercepted INVLPG in certain cases, fails in
such cases. Failure of INVVPID results in a hypervisor bug check.
A malicious guest can crash the host, leading to a Denial of Service.
(CVE-2016-1571)

Xen 4.6.x and earlier allows local guest administrators to cause a denial
of service (host reboot) via vectors related to multiple mappings of MMIO
pages with different cachability settings (CVE-2016-2270).

VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows
local HVM guest users to cause a denial of service (guest crash) via
vectors related to a non-canonical RIP (CVE-2016-2271).

For other fixes in this update, see the referenced changelogs.
                

References

SRPMS

5/core