-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2023-34323 / XSA-440
version 3
xenstored: A transaction conflict can crash C Xenstored
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
When a transaction is committed, C Xenstored will first check
the quota is correct before attempting to commit any nodes. It would
be possible that accounting is temporarily negative if a node has
been removed outside of the transaction.
Unfortunately, some versions of C Xenstored are assuming that the
quota cannot be negative and are using assert() to confirm it. This
will lead to C Xenstored crash when tools are built without -DNDEBUG
(this is the default).
IMPACT
======
A malicious guest could craft a transaction that will hit the C
Xenstored bug and crash it. This will result to the inability to
perform any further domain administration like starting new guests,
or adding/removing resources to or from any existing guest.
VULNERABLE SYSTEMS
==================
All versions of Xen up to and including 4.17 are vulnerable if XSA-326
was ingested.
All Xen systems using C Xenstored are vulnerable. C Xenstored built
using -DNDEBUG (can be specified via EXTRA_CFLAGS_XEN_TOOLS=-DNDEBUG)
are not vulnerable. Systems using the OCaml variant of Xenstored are
not vulnerable.
MITIGATION
==========
The problem can be avoided by using OCaml Xenstored variant.
CREDITS
=======
This issue was discovered by Stanislav Uschakow and Julien Grall, all
from Amazon.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa440-4.17.patch Xen 4.17.x - Xen 4.15.x.
$ sha256sum xsa440*
187b7edef4f509f3d7ec1662901fa638a900ab4213447438171fb2935f387014 xsa440.meta
431dab53baf2b57a299d1a151b330b62d9a007715d700e8515db71ff813d0037 xsa440-4.17.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUlNOMMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZy64IAIZBqlKJAGVeGMzSpuJfkP2YXLe9JNeR46HRG90e
mV94MWmsf+4kMu2ZhnXQaR2+lafjNfAQVdh9nXV0tdJu//yzLRfXnLfFWrroqBTS
g69/9zvgGRYvobHe6X/WmLwXCV8N27q04zLK7R9nYwntw2mJBBCvUfRPVHk/6lpH
4Ke6o0XbjmOjForl2PA3ISRqXKD5nB0pWp1cEfPt3PzCUV02kI/N3veWDRN2wyPN
jclvwlVVASJdCrcs0+NlOalN5XhD9+K5RN+VVGu3dchXpaa3qEOiTc/V5T1U5cX8
pqNqUBlo4ECFLygE2aUTITIX+dpLaGYD8rmFq0CPnsB6E5U=
=6W84
-----END PGP SIGNATURE-----
Hash: SHA256
Xen Security Advisory CVE-2023-34323 / XSA-440
version 3
xenstored: A transaction conflict can crash C Xenstored
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
When a transaction is committed, C Xenstored will first check
the quota is correct before attempting to commit any nodes. It would
be possible that accounting is temporarily negative if a node has
been removed outside of the transaction.
Unfortunately, some versions of C Xenstored are assuming that the
quota cannot be negative and are using assert() to confirm it. This
will lead to C Xenstored crash when tools are built without -DNDEBUG
(this is the default).
IMPACT
======
A malicious guest could craft a transaction that will hit the C
Xenstored bug and crash it. This will result to the inability to
perform any further domain administration like starting new guests,
or adding/removing resources to or from any existing guest.
VULNERABLE SYSTEMS
==================
All versions of Xen up to and including 4.17 are vulnerable if XSA-326
was ingested.
All Xen systems using C Xenstored are vulnerable. C Xenstored built
using -DNDEBUG (can be specified via EXTRA_CFLAGS_XEN_TOOLS=-DNDEBUG)
are not vulnerable. Systems using the OCaml variant of Xenstored are
not vulnerable.
MITIGATION
==========
The problem can be avoided by using OCaml Xenstored variant.
CREDITS
=======
This issue was discovered by Stanislav Uschakow and Julien Grall, all
from Amazon.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa440-4.17.patch Xen 4.17.x - Xen 4.15.x.
$ sha256sum xsa440*
187b7edef4f509f3d7ec1662901fa638a900ab4213447438171fb2935f387014 xsa440.meta
431dab53baf2b57a299d1a151b330b62d9a007715d700e8515db71ff813d0037 xsa440-4.17.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUlNOMMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZy64IAIZBqlKJAGVeGMzSpuJfkP2YXLe9JNeR46HRG90e
mV94MWmsf+4kMu2ZhnXQaR2+lafjNfAQVdh9nXV0tdJu//yzLRfXnLfFWrroqBTS
g69/9zvgGRYvobHe6X/WmLwXCV8N27q04zLK7R9nYwntw2mJBBCvUfRPVHk/6lpH
4Ke6o0XbjmOjForl2PA3ISRqXKD5nB0pWp1cEfPt3PzCUV02kI/N3veWDRN2wyPN
jclvwlVVASJdCrcs0+NlOalN5XhD9+K5RN+VVGu3dchXpaa3qEOiTc/V5T1U5cX8
pqNqUBlo4ECFLygE2aUTITIX+dpLaGYD8rmFq0CPnsB6E5U=
=6W84
-----END PGP SIGNATURE-----
Attached Files:
-
xsa440.meta (1.01 KB)
-
xsa440-4.17.patch (2.13 KB)