Advisories ยป MGASA-2017-0012

Updated xen packages fix security vulnerability

Publication date: 09 Jan 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2014-3672 , CVE-2016-3158 , CVE-2016-3159 , CVE-2016-3710 , CVE-2016-3712 , CVE-2016-3960 , CVE-2016-4962 , CVE-2016-4963 , CVE-2016-4480 , CVE-2016-5242 , CVE-2016-5403 , CVE-2016-6258 , CVE-2016-6259 , CVE-2016-7092 , CVE-2016-7093 , CVE-2016-7094 , CVE-2016-7777 , CVE-2016-9377 , CVE-2016-9378 , CVE-2016-9379 , CVE-2016-9380 , CVE-2016-9381 , CVE-2016-9382 , CVE-2016-9383 , CVE-2016-9384 , CVE-2016-9385 , CVE-2016-9386 , CVE-2016-9637 , CVE-2016-9932 , CVE-2016-10013 , CVE-2016-10024

Description

This xen update is based on upstream 4.5.5 maintenance release, and fixes
the following security issues:

The qemu implementation in libvirt before 1.3.0 and Xen allows local guest
OS users to cause a denial of service (host disk consumption) by writing
to stdout or stderr (CVE-2014-3672)

The xrstor function in arch/x86/xstate.c in Xen 4.x does not properly handle
writes to the hardware FSW.ES bit when running on AMD64 processors, which
allows local guest OS users to obtain sensitive register content information
from another guest by leveraging pending exception and mask bits. NOTE: this
vulnerability exists because of an incorrect fix for CVE-2013-2076
(CVE-2016-3158).

The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly
handle writes to the hardware FSW.ES bit when running on AMD64 processors,
which allows local guest OS users to obtain sensitive register content
information from another guest by leveraging pending exception and mask
bits. NOTE: this vulnerability exists because of an incorrect fix for
CVE-2013-2076 (CVE-2016-3159).

The VGA module in QEMU improperly performs bounds checking on banked access
to video memory, which allows local guest OS administrators to execute
arbitrary code on the host by changing access modes after setting the bank
register, aka the "Dark Portal" issue (CVE-2016-3710).

Integer overflow in the VGA module in QEMU allows local guest OS users to
cause a denial of service (out-of-bounds read and QEMU process crash) by
editing VGA registers in VBE mode (CVE-2016-3712).

Integer overflow in the x86 shadow pagetable code in Xen allows local guest
OS users to cause a denial of service (host crash) or possibly gain
privileges by shadowing a superpage mapping (CVE-2016-3960).

The libxl device-handling in Xen 4.6.x and earlier allows local OS guest
administrators to cause a denial of service (resource consumption or
management facility confusion) or gain host OS privileges by manipulating
information in guest controlled areas of xenstore (CVE-2016-4962).

The libxl device-handling in Xen through 4.6.x allows local guest OS users
with access to the driver domain to cause a denial of service (management
tool confusion) by manipulating information in the backend directories in
xenstore (CVE-2016-4963).

The guest_walk_tables function in arch/x86/mm/guest_walk.c in Xen 4.6.x and
earlier does not properly handle the Page Size (PS) page table entry bit at
the L4 and L3 page table levels, which might allow local guest OS users to
gain privileges via a crafted mapping of memory (CVE-2016-4480).

The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x allows
local guest OS users with access to the driver domain to cause a denial of
service (NULL pointer dereference and host OS crash) by creating concurrent
domains and holding references to them, related to VMID exhaustion
(CVE-2016-5242).

The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest
OS administrators to cause a denial of service (memory consumption and QEMU
process crash) by submitting requests without waiting for completion
(CVE-2016-5403).

The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local
32-bit PV guest OS administrators to gain host OS privileges by leveraging
fast-paths for updating pagetable entries (CVE-2016-6258).

Xen 4.5.x through 4.7.x do not implement Supervisor Mode Access Prevention
(SMAP) whitelisting in 32-bit exception and event delivery, which allows
local 32-bit PV guest OS kernels to cause a denial of service (hypervisor
and VM crash) by triggering a safety check (CVE-2016-6259).

The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32-bit
PV guest OS administrators to gain host OS privileges via vectors related
to L3 recursive pagetables (CVE-2016-7092).

Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to
overwrite hypervisor memory and consequently gain host OS privileges by
leveraging mishandling of instruction pointer truncation during emulation
(CVE-2016-7093).

Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS
administrators on guests running with shadow paging to cause a denial of
service via a pagetable update (CVE-2016-7094).

Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which
allows local x86 HVM guest OS users to read or modify FPU, MMX, or XMM
register state information belonging to arbitrary tasks on the guest by
modifying an instruction while the hypervisor is preparing to emulate it
(CVE-2016-7777).

When Xen emulates instructions which generate software interrupts it needs
to perform a privilege check involving an IDT lookup. This check is sometimes
erroneously conducted as if the IDT had the format for a 32-bit guest, when
in fact it is in the 64-bit format. Xen will then read the wrong part of the
IDT and interpret it in an unintended manner. An unprivileged guest user
program may be able to crash the guest (CVE-2016-9377).

When Xen emulates instructions which generate software interrupts, and
chooses to deliver the software interrupt, it may try to use the method
intended for injecting exceptions. This is incorrect, and results in a
guest crash (CVE-2016-9378).

pygrub supports a number of output formats. When the S-expression output
format is requested, putting string quotes and S-expressions in the 
bootloader configuration file can produce incorrect output. A malicious
guest administrator can obtain the contents of sensitive host files (an
information leak), or can cause files on the host to be removed, causing
a denial of service or in unusual cases privilegie escalation (CVE-2016-9379).

When the nul-delimited output format is requested, nul bytes in the
bootloader configuration file can produce an ambiguous or confusing output
file, which is interpreted by libxl in a vulnerable way. A malicious guest
administrator can obtain the contents of sensitive host files (an information
leak), or can cause files on the host to be removed, causing a denial of
service or in unusual cases privilegie escalation (CVE-2016-9380).

The compiler can emit optimizations in qemu which can lead to double fetch
vulnerabilities. Specifically data on the rings shared between qemu and the
hypervisor (which the guest under control can obtain mappings of) can be
fetched twice (during which time the guest can alter the contents) possibly
leading to arbitrary code execution in qemu. Malicious administrators can
exploit this vulnerability to take over the qemu process, elevating its
privilege to that of the qemu process. In a system not using a device model
stub domain (or other techniques for deprivileging qemu), malicious guest
administrators can thus elevate their privilege to that of the host
(CVE-2016-9381).

LDTR, just like TR, is purely a protected mode facility. Hence even when
switching to a VM86 mode task, LDTR loading needs to follow protected mode
semantics. This was violated by the code. On SVM (AMD hardware): a malicious
unprivileged guest process can escalate its privilege to that of the guest
operating system. On both SVM and VMX (Intel hardware): a malicious
unprivileged guest process can crash the guest (CVE-2016-9382).

The x86 instructions BT, BTC, BTR, and BTS, when used with a destination
memory operand and a source register rather than an immediate operand,
access a memory location offset from that specified by the memory operand
as specified by the high bits of the register source. When Xen needs to
emulate such an instruction, to efficiently handle the emulation, the memory
address and register operand are recalculated internally to Xen. In this
process, the high bits of an intermediate expression were discarded, leading
to both the memory location and the register operand being wrong. A malicious
guest can modify arbitrary memory, allowing for arbitrary code execution
(and therefore privilege escalation affecting the whole host), a crash of
the host (leading to a DoS), or information leaks (CVE-2016-9383).

Along with their main kernel binary, unprivileged guests may arrange to 
have their Xen environment load (kernel) symbol tables for their use.
The ELF image metadata created for this purpose has a few unused bytes
when the symbol table binary is in 32-bit ELF format. These unused bytes
were not properly cleared during symbol table loading. A malicious
unprivileged guest may be able to obtain sensitive information from the
host (CVE-2016-9384).

Both writes to the FS and GS register base MSRs as well as the WRFSBASE and
WRGSBASE instructions require their input values to be canonical, or a #GP
fault will be raised. When the use of those instructions by the hypervisor
was enabled, the previous guard against #GP faults (having recovery code
attached) was accidentally removed. A malicious guest administrator can
crash the host, leading to a DoS (CVE-2016-9385).

The Xen x86 emulator erroneously failed to consider the unusability of
segments when performing memory accesses. An unprivileged guest user
program may be able to elevate its privilege to that of the guest operating
system (CVE-2016-9386).

The code in qemu which implements ioport read/write looks up the specified
ioport address in a 32-bit dispatch table without proper range checks.
Xen will write only 16-bit address ioport accesses. However, depending on
the Xen and qemu version, the ring may be writeable by the guest. If so,
the guest can generate out-of-range ioport accesses, resulting in wild
pointer accesses within qemu. A malicious guest administrator can escalate
their privilege to that of the host (CVE-2016-9637).

x86 CMPXCHG8B emulation fails to ignore operand size override. A malicious
unprivileged guest may be able to obtain sensitive information from the
host (CVE-2016-9932).

x86 PV guests may be able to mask interrupts. A malicious guest kernel
administrator can cause a host hang or crash, resulting in a Denial of
Service (CVE-2016-10024).

x86: Mishandling of SYSCALL singlestep during emulation. Guest userspace
which can invoke the instruction emulator can use this flaw to escalate
its privilege to that of the guest kernel (CVE-2016-10013).

For other fixes in this update, see the referenced changelogs.
                

References

SRPMS

5/core