Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Xen Security Advisory XSA-55

Multiple vulnerabilities in libelf PV kernel handling

NOTE REGARDING LACK OF EMBARGO
==============================

Due to a human error this issue was prematurely publicly disclosed to
the xen-devel mailing list. Therefore this advisory is being published
immediately.

The Xen.org security apologizes for this error and will review its
procedures to avoid it in the future.

STATUS OF THE FIX
=================

Due to the unintended early release of these patches they have not
received as much review or testing as we would have liked.

Due to the method used to fix the issue we have reasonable confidence
that the security vulnerability is addressed by these patches however
there is a risk of regressions when loading kernels which are in fact
OK, i.e. treating valid kernels as malicious.

We have not yet been assigned a CVE number for this issue.

ISSUE DESCRIPTION
=================

The ELF parser used by the Xen tools to read domains' kernels and
construct domains has multiple integer overflows, pointer dereferences
based on calculations from unchecked input values, and other problems.

IMPACT
======

A malicious PV domain administrator who can specify their own kernel
can escalate their privilege to that of the domain construction tools
(i.e., normally, to control of the host).

Additionally a malicious HVM domain administrator who is able to
supply their own firmware ("hvmloader") can do likewise; however we
think this would be very unusual and it is unlikely that such
configurations exist in production systems.

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

Installations which only allow the use of trustworthy kernels for PV
domains are not affected.

MITIGATION
==========

Ensuring that PV guests use only trustworthy kernels will avoid this
problem.

RESOLUTION
==========

Applying the appropriate attached patch series is intended to resolve
this issue.

xsa55-4.1/*.patch Xen 4.1.x
xsa55-4.2/*.patch Xen 4.2.x
xsa55-unstable/*.patch xen-unstable

$ sha256sum xsa55-*/**.patch
0806c7fd33e659d1b7f5a8fa6ee0a295b45c77bcc2feeb9ffcb94b02d847ac02 xsa55-4.1/0001-libelf-abolish-libelf-relocate.c.patch
965a511d6d8c37616d10381ae6df70c3dd5872898b121f67f0963cec1025d875 xsa55-4.1/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
6e745ca2e2c209bc65926a48ed868d061af842036dbe8e1a9193c9d8a045e77d xsa55-4.1/0003-libelf-abolish-elf_sval-and-elf_access_signed.patch
d5da28d86626e0de39d21fce374fb72ad1cec4223429041a43b75921c9702961 xsa55-4.1/0004-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
2423669ed389c532c05d8813b3f678cff314251af18f7fc56960eca3708b9c22 xsa55-4.1/0005-libelf-introduce-macros-for-memory-access-and-pointe.patch
0a021f4e6aa646aee47786cd63d2514a27d543115e8c1820baacc27b4afe3c28 xsa55-4.1/0006-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
87cd22f2479c125b6997bf6efc449179790f39e5951d4853d93b8836c3b47287 xsa55-4.1/0007-libelf-check-nul-terminated-strings-properly.patch
17c16ec73fcf4166777c692ba0e1733d046f5fe6f747e81689f7b4915ee3e1e7 xsa55-4.1/0008-libelf-check-all-pointer-accesses.patch
6501bb4f208a0ca0fbd7f1e2c38d55f01a992d0f3ad2cf190a104749818e7ae0 xsa55-4.1/0009-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
012467b3bea8553a8556daae6bceab15f934306f7067bc20033d5313a3804048 xsa55-4.1/0010-libelf-Make-all-callers-call-elf_check_broken.patch
5e7d223b5386b9a8e15999700008e1db9cab011e672eed08a973447d806fb57c xsa55-4.1/0011-libelf-use-C99-bool-for-booleans.patch
35bff8abd08343257ee623b5e280e96065e2a6618bb448e2ab8254242d485cb3 xsa55-4.1/0012-libelf-use-only-unsigned-integers.patch
3db711c397541c5841a8a2da3446144474ff1040cd3813ce2c31ebebf603537d xsa55-4.1/0013-libelf-check-loops-for-running-away.patch
9d27078f976d9e21c862feaef4603b319774ccaec78ef1dc4c92eab6cb2fa847 xsa55-4.1/0014-libelf-abolish-obsolete-macros.patch
7f9d868985dd851e7f00ab76b443698d911216579d7e18bfa46e0fa04b416404 xsa55-4.2/0001-libelf-abolish-libelf-relocate.c.patch
f10c538555c79d6093af1a36ac1239078c64b4045f0b74c965cdbc0473e60d42 xsa55-4.2/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
23f3f9d5c52f6a2a76050ad8db2e0e21001e6b520b36d5d5d4df174e4e6fc9a5 xsa55-4.2/0003-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch
b246052c87f2eb4b094ea8b20bfb87b1d6a5a89496d4d23e087cb9bc03b0e01a xsa55-4.2/0004-libelf-abolish-elf_sval-and-elf_access_signed.patch
ae07b29d2fdb47c54841d16fd7f5e057b8858c14a7404b3c1ffffc8f43f8fe06 xsa55-4.2/0005-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch
bb437d324f641face7fd6f48ddba381c5dcb043c8231b3115432ba53d297f372 xsa55-4.2/0006-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
f7ca43339d1f0c6354478cfaa3393cd8509878a062b6d3c9a69b746239c23019 xsa55-4.2/0007-libelf-introduce-macros-for-memory-access-and-pointe.patch
736b968fe21596b1ede2817f9255f88002cc0e4489a39a382675cae8f2b3f161 xsa55-4.2/0008-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
98bde2b49b040e6e085a3c1e99ba18926a5ba0682f32b7aed711eb07fa199143 xsa55-4.2/0009-libelf-check-nul-terminated-strings-properly.patch
f69614e3c2cbb5a6e80dc4f4a7b374f5d543456f378679917fff083442b1d76d xsa55-4.2/0010-libelf-check-all-pointer-accesses.patch
8bc58423705fbf546aa1ec56d44b7d41b2f777531bd5fab3ae8feef96b1b5aba xsa55-4.2/0011-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
d78d3bcafaee8dae558a1e4bd86ead9903a22e6becb888b485eac6ddaabd4447 xsa55-4.2/0012-libelf-Make-all-callers-call-elf_check_broken.patch
23b98f94176bd4205c3a337855f15c74499799419e4368a81470d62e24983f4e xsa55-4.2/0013-libelf-use-C99-bool-for-booleans.patch
08184c337fc9aea46e7bd1e476e0c40bf8d24cc319132bdc59e29e1e185f10fd xsa55-4.2/0014-libelf-use-only-unsigned-integers.patch
d88033e2d63a0f12d9acc1ade5cb420f6fd8f56a46237d86b40706750e1181e9 xsa55-4.2/0015-libelf-check-loops-for-running-away.patch
62a3811bdea007d9083199d7a101932a4eaaffba07999a8b841bf35718e33b08 xsa55-4.2/0016-libelf-abolish-obsolete-macros.patch
e68c4d3a5f81f4511b605b0a31af1a6316e75eef0f876a8e4fbacffbd33a3bc3 xsa55-unstable/0001-libelf-abolish-libelf-relocate.c.patch
b735bed4a919001c8f0e94285e84435bacc6ce51107b1d78d5d2f54827f7dd0e xsa55-unstable/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
7102467603f1d7bc577421e5087cb90186bb2f7e7b412f849b5fa28be2d9db8a xsa55-unstable/0003-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch
bcb2b79864cdb6827376f521275c0e1327c9347f898b28b76346ff6309f89a0f xsa55-unstable/0004-libelf-abolish-elf_sval-and-elf_access_signed.patch
3bca1907fec2a3a233511980070a712d6052c3f17d5d1c1b21f808a09edf839b xsa55-unstable/0005-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch
0bc3be2ace08cbf5bc9e80273486eae7ca78cb0b0967bdf6bb6a979aee6950bc xsa55-unstable/0006-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
e93fef15ec83f098fe52d5c093bf3d6d1d520e588e71a47b94596a2031a6b4b4 xsa55-unstable/0007-libelf-introduce-macros-for-memory-access-and-pointe.patch
620c5606749f4f0b4fa0f24bdace3d8ad2dcc5c5ae86144e1b70fdfee9abdea1 xsa55-unstable/0008-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
789679f20e4836fe0de903ed6f49de0329a2438e5533a88011327e051eece671 xsa55-unstable/0009-libelf-check-nul-terminated-strings-properly.patch
b0c3305b67c63c9cc05d28cf2a367af41aa01911be04d9dd37dfa62a504a99fc xsa55-unstable/0010-libelf-check-all-pointer-accesses.patch
abe0993e06d907d46883425025126be114d9464a0c10ae4cb50efffb8e74f30a xsa55-unstable/0011-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
d93a31551d8052bf488217b1c9836b9e2a47f115673469e33f950465ca516631 xsa55-unstable/0012-libelf-Make-all-callers-call-elf_check_broken.patch
686c4f29ec5f2fc567d7490d5391008bd399eb260274d9a4c49eae66670ed835 xsa55-unstable/0013-libelf-use-C99-bool-for-booleans.patch
2652866b241e69be4dcea49c4798fdcf1e78cf31da93b49381f2b256a6d921b8 xsa55-unstable/0014-libelf-use-only-unsigned-integers.patch
b487e09440cd36ebc1c58ec229eb89ead3b93368c2f1716781bab953bab3baca xsa55-unstable/0015-libelf-check-loops-for-running-away.patch
217820c0ab0aef6eba23ee4b8a83d0bbffe7675f4cd7d907e1cc3b14840f609f xsa55-unstable/0016-libelf-abolish-obsolete-macros.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRrMEnAAoJEIP+FMlX6CvZx08IAJb6mCuPzfb6OGwVT5QFEgre
en0IkexF4qvum9rYPxVfK9IrDizNAmqWoUZOdnhlts+PEKnx1F3G2/ahLY6bImqV
KgaEjNTZeUQwdoY7SrX9c8abC1GNXunJDVHYRBD/t6cxKbCzyAjbfvM6VxyW1GDg
EEBcNgHB8kisED3QurvY3q1yOPHqiC3pOfLD+JdRAbdU027dy4oKzzT6d17ajAIz
PuWfhGwHKgok2Gn7xPs1Q194OnqnFqA4VTMW/TYdXv7vs+Sr+0O5//5wRdYo1MrV
BViQbzI5FZQ3MYfde3qng9R460KAC1i2dNLxrwpWMfGFTefUiHaJfAKT4SCNCKs=
=1vKb
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Xen Security Advisory XSA-55
version 4

Multiple vulnerabilities in libelf PV kernel handling

UPDATES IN VERSION 4
====================

We are sending out a version 4 of this advisory with no files
attached. This is because the size of the version 3 advisory email
caused delivery problems for some recipients.

This version instead quotes the patchset git changeset ids in xen.git.

UPDATES IN VERSION 3
====================

Fixed patch series provided. These patches have been as thoroughly
reviewed as possible and subjected to various regression testing.

NOTE REGARDING CVE
==================

We have not yet been assigned a CVE number for this issue.

ISSUE DESCRIPTION
=================

The ELF parser used by the Xen tools to read domains' kernels and
construct domains has multiple integer overflows, pointer dereferences
based on calculations from unchecked input values, and other problems.

IMPACT
======

A malicious PV domain administrator who can specify their own kernel
can escalate their privilege to that of the domain construction tools
(i.e., normally, to control of the host).

Additionally a malicious HVM domain administrator who is able to
supply their own firmware ("hvmloader") can do likewise; however we
think this would be very unusual and it is unlikely that such
configurations exist in production systems.

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

Installations which only allow the use of trustworthy kernels for PV
domains are not affected.

MITIGATION
==========

Ensuring that PV guests use only trustworthy kernels will avoid this
problem.

RESOLUTION
==========

Applying the appropriate patch series will resolve this issue.

These were attached to v3 of the advisory which can be found here:
http://lists.xen.org/archives/html/xen-devel/2013-06/msg01626.html

These are available in xen.git
http://xenbits.xen.org/gitweb/?p=xen.git
git://xenbits.xen.org/xen.git
http://xenbits.xen.org/git-http/xen.git
in the git changesets listed below.

xen-unstable:

82cb4113b6ace16de192021de20f6cbd991e478f libxc: Better range check in xc_dom_alloc_segment
966070058d02cce9684e30073b61d6465e4b351c libxc: check blob size before proceeding in xc_dom_check_gzip
de7911eaef98b6643d80e4612fe4dcd4528d15b9 libxc: range checks in xc_dom_p2m_host and _guest
3d5a1d4733e55e33521cd5004cab1313e5c5d5ff libxc: check return values from malloc
aaebaba5ae225f591e0602e071037a935bb281b6 libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range
2bcee4b3c316379f4b52cb308947eb6db3faf1a0 libxc: Add range checking to xc_dom_binloader
66fe2726fe8492676f9970b9c2c511bce6186ece libelf: abolish obsolete macros
39bf7b9d0ae534491745e54df5232127c0bddaf1 libelf: check loops for running away
a004800f8fc607b96527815c8e3beabcb455d8e0 libelf: use only unsigned integers
7a549a6aa04dba807f8dd4c1577ab6a7592c4c76 libelf: use C99 bool for booleans
c84481fbc7de7d15ff7476b3b9cd2713f81feaa3 libelf: Make all callers call elf_check_broken
943de71cf07d9d04ccb215bd46153b04930e9f25 libelf: Check pointer references in elf_is_elfbinary
65808a8ed41cc7c044f588bd6cab5af0fdc0e029 libelf: check all pointer accesses
04877847ade4ac9216e9f408fd544ade8f90cf9a libelf: check nul-terminated strings properly
50421bd56bf164f490d7d0bf5741e58936de41e8 tools/xcutils/readnotes: adjust print_l1_mfn_valid_note
85256359995587df00001dca22e9a76ba6ea8258 libelf: introduce macros for memory access and pointer handling
95dd49bed681af93f71a401b0a35bf2f917c6e68 libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised
f7aa72ec00aec71eed055dac5e8a151966d75c9c libelf: move include of <asm/guest_access.h> to top of file
13e2c808f7ea721c8f200062e2b9b977ee924471 libelf: abolish elf_sval and elf_access_signed
009ddca51504ce80889937e485d44ac0f9290d63 libelf: add `struct elf_binary*' parameter to elf_load_image
b5a869209998fedadfe205d37addbd50a802998b libxc: Fix range checking in xc_dom_pfn_to_ptr etc.
53bfcf585b09eb4ac2240f89d1ade77421cd2451 libxc: introduce xc_dom_seg_to_ptr_pages
14573b974850d82de7aebad17e6471d27d847f2c libelf: abolish libelf-relocate.c

Xen 4.2.x:

d21d36e84354c04638b60a739a5f7c3d9f8adaf8 libxc: Better range check in xc_dom_alloc_segment
2a548e22915535ac13694eb38222903bca7245e3 libxc: check blob size before proceeding in xc_dom_check_gzip
052a689aa526ca51fd70528d4b0f83dfb2de99c1 libxc: range checks in xc_dom_p2m_host and _guest
8dc90d163650ce8aa36ae0b46debab83cc61edb6 libxc: check return values from malloc
77c0829fa751f052f7b8ec08287aef6e7ba97bc5 libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range
b06e277b1fc08c7da3befeb3ac3950e1d941585d libxc: Add range checking to xc_dom_binloader
3baaa4ffcd3e7dd6227f9bdf817f90e5b75aeda2 libelf: abolish obsolete macros
52d8cc2dd3bb3e0f6d51e00280da934e8d91653a libelf: check loops for running away
e673ca50127b6c1263727aa31de0b8bb966ca7a2 libelf: use only unsigned integers
3fb6ccf2faccaf5e22e33a3155ccc72d732896d8 libelf: use C99 bool for booleans
a965b8f80388603d439ae2b8ee7b9b018a079f90 libelf: Make all callers call elf_check_broken
d0790bdad7496e720416b2d4a04563c4c27e7b95 libelf: Check pointer references in elf_is_elfbinary
cc8761371aac432318530c2ddfe2c8234bc0621f libelf: check all pointer accesses
db14d5bd9b6508adfcd2b910f454fae12fa4ba00 libelf: check nul-terminated strings properly
59f66d58180832af6b99a9e4489031b5c2f627ab tools/xcutils/readnotes: adjust print_l1_mfn_valid_note
40020ab55a1e9a1674ddecdb70299fab4fe8579d libelf: introduce macros for memory access and pointer handling
de9089b449d2508b1ba05590905c7ebaee00c8c4 libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised
682a04488e7b3bd6c3448ab60599566eb7c6177a libelf: move include of <asm/guest_access.h> to top of file
83ec905922b496e1a5756e3a88405eb6c2c6ba88 libelf: abolish elf_sval and elf_access_signed
035634047d10c678cbb8801c4263747bdaf4e5b1 libelf: add `struct elf_binary*' parameter to elf_load_image
8c738fa5c1f3cfcd935b6191b3526f7ac8b2a5bd libxc: Fix range checking in xc_dom_pfn_to_ptr etc.
a672da4b2d58ef12be9d7407160e9fb43cac75d9 libxc: introduce xc_dom_seg_to_ptr_pages
9737484becab4a25159f1e985700eaee89690d34 libelf: abolish libelf-relocate.c

Xen 4.1.x:

ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978 libxc: check blob size before proceeding in xc_dom_check_gzip
6eca85d5c144ee8c899ee3cf8791f9087b15f2e8 libxc: range checks in xc_dom_p2m_host and _guest
a2986a7959919bc748784bb75970bfbd42697d3b libxc: check return values from malloc
117a538dbef62f8d39159dea652e633e01b50a9a libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range
40b76f1fb04af421c1415f7bcb168dfaa6960d0d libxc: Add range checking to xc_dom_binloader
4a3a60d8caee49af6951a672c55b08436a8d1f86 libelf: abolish obsolete macros
968c0399159c65e24bb8b9969259e18791e1f4d8 libelf: check loops for running away
282188ea84b9e0f9c4865f0609e7740f2f28e7b0 libxc: Introduce xc_bitops.h
86e39ce58e91fe55d4fdbc914cb1955c45acc20e libelf: use only unsigned integers
bd3dba9f435fa59f305407f7d9b34e1e164ddd98 libelf: use C99 bool for booleans
44c74b1ed31c75ed9026abf62ab7427a46d8027a libelf: Make all callers call elf_check_broken
9962d7ffcce97ec2d69a15ef861996b1ead33694 libelf: Check pointer references in elf_is_elfbinary
39923542bb43e67776c4e8292d4a5a1adef2bd3b libelf: check all pointer accesses
8ce60b35beaac91a97b79c004ca6bf5d58e7390b libelf: check nul-terminated strings properly
4e46085972d2367dff2345a73361c1c17b47ce73 tools/xcutils/readnotes: adjust print_l1_mfn_valid_note
de49d6e83c3a8c753646b007972140ddbb746ba8 libelf: introduce macros for memory access and pointer handling
4d3339de1fe3cbf7b05487fdb6cadd7267950948 libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised
e719b136b750e5eee87c4647d1846e4e1e70eac0 libelf: abolish elf_sval and elf_access_signed
f7fb94409c562beec06094141ef262dc85f28dac libxc: Fix range checking in xc_dom_pfn_to_ptr etc.
bbf40e6b6d47809f4289a866d7d167c25104ecc0 libxc: introduce xc_dom_seg_to_ptr_pages
64a0206c451920b72a9c5721a6f2427baf99e3dd libelf: abolish libelf-relocate.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRu0jbAAoJEIP+FMlX6CvZfeYH/0sfcaTV8eItCkee6YHVUvyd
cFgo19SBiLRQB/K+qK9vWoaVEqUXrailkS4Lx8syaVUTzwjBxWMbuv8gXxwrP4DZ
xay65+WzcBpJmnYwKqcx37d8or2L+fQpn9wLQQu1yd4Ta/QecUldh+K7eZCHJps2
v5oPw6wjJtG7C+W6skp7Y6mC0+FGNr3LBXgPuiHfH/NXqUMkom8JEd+1izSCxaxP
oZeTVtGeYfCH4ERakUViz7XtjvtFscJQETK9xI6HM6aXgEONiP8q1SJGJWVdpQSC
FlRqxAiusorY0RZln0UVVb55yJ7zhvuWUKVTvPa5tFz+pHtpknBG2tD9L4CVpUw=
=0trA
-----END PGP SIGNATURE-----