xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Mauro Matteo Cascella <mcascell@redhat.com>
To: oss-security@lists.openwall.com
Cc: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	 xen-users@lists.xen.org,
	 "Xen.org security team" <security-team-members@xen.org>
Subject: Re: [oss-security] Xen Security Advisory 355 v2 - stack corruption from XSA-346 change
Date: Mon, 30 Nov 2020 17:07:43 +0100	[thread overview]
Message-ID: <CAA8xKjWY2+xo57n8hsvG6yMyhs6nAH+S4NbCsEJLWEVff_aWzg@mail.gmail.com> (raw)
In-Reply-To: <E1khX2v-0002f4-3b@xenbits.xenproject.org>

Hello,

Has a CVE been assigned for this issue?

Regards,

On Tue, Nov 24, 2020 at 1:06 PM Xen.org security team <security@xen.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>                     Xen Security Advisory XSA-355
>                               version 2
>
>                  stack corruption from XSA-346 change
>
> UPDATES IN VERSION 2
> ====================
>
> Added metadata file.
>
> Public release.
>
> ISSUE DESCRIPTION
> =================
>
> One of the two changes for XSA-346 introduced an on-stack array.  The
> check for guarding against overrunning this array was off by one,
> allowing for corruption of the first stack slot immediately following
> this array.
>
> IMPACT
> ======
>
> A malicious or buggy HVM or PVH guest can cause Xen to crash, resulting
> in a Denial of Service (DoS) to the entire host.  Privilege escalation
> as well as information leaks cannot be excluded.
>
> VULNERABLE SYSTEMS
> ==================
>
> All Xen versions which have the patches for XSA-346 applied are
> vulnerable.
>
> Only x86 HVM and PVH guests can leverage the vulnerability.  Arm guests
> and x86 PV guests cannot leverage the vulnerability.
>
> Only x86 HVM and PVH guests which have physical devices passed through
> to them can leverage the vulnerability.
>
> MITIGATION
> ==========
>
> Not passing through physical devices to untrusted guests will avoid
> the vulnerability.
>
> CREDITS
> =======
>
> This issue was discovered by Jan Beulich of SUSE.
>
> RESOLUTION
> ==========
>
> Applying the attached patch resolves this issue.
>
> Note that patches for released versions are generally prepared to
> apply to the stable branches, and may not apply cleanly to the most
> recent release tarball.  Downstreams are encouraged to update to the
> tip of the stable branch before applying these patches.
>
> xsa355.patch           xen-unstable - Xen 4.10.x
>
> $ sha256sum xsa355*
> a93bfc376897e7cffd095d395f1a66476adb9503d7d80a59b7861e64c2675323  xsa355.meta
> dae633c11cf2eff3e304737265e18ab09213e8e4640458080a944ae7a40819a4  xsa355.patch
> $
>
> NOTE CONCERNING SHORT EMBARGO
> =============================
>
> This issue is likely to be re-discovered as the changes for XSA-346
> are deployed more widely, since the issue is also triggerable without
> any malice or bugginess.
>
> DEPLOYMENT DURING EMBARGO
> =========================
>
> Deployment of the patches and/or mitigations described above (or
> others which are substantially similar) is permitted during the
> embargo, even on public-facing systems with untrusted guest users and
> administrators.
>
> But: Distribution of updated software is prohibited (except to other
> members of the predisclosure list).
>
> Predisclosure list members who wish to deploy significantly different
> patches and/or mitigations, please contact the Xen Project Security
> Team.
>
> (Note: this during-embargo deployment notice is retained in
> post-embargo publicly released Xen Project advisories, even though it
> is then no longer applicable.  This is to enable the community to have
> oversight of the Xen Project Security Team's decisionmaking.)
>
> For more information about permissible uses of embargoed information,
> consult the Xen Project community's agreed Security Policy:
>   http://www.xenproject.org/security-policy.html
> -----BEGIN PGP SIGNATURE-----
>
> iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl+89pEMHHBncEB4ZW4u
> b3JnAAoJEIP+FMlX6CvZRHQH/1D8CfjZWYgLcdYOg6sDO6BIK8IsnAiOoe2C8b9i
> M8QPFzHlUx09FI5CHVb0Va/pFliR1OS2tmmIU30DL9nmiDLcaP2uvpgJAYo5GwL5
> Rzccjo4qbXwfSRQvHmLzbr+XN8sHDxbekpFd8T5WvuarUgxOaPCLTfSG0nag/t52
> OVNIdDcP5lSt/Z88lYW75j4gBAsXUZDEXgn81JpeHj9js8YLFC3WFcwh58Jjd+hw
> 5DH955jNAKD8TRSy6uffDpvN1m9wm2vDGeXSUcJyswlV8Nqi6YRW4XO4Q6Cfj+CG
> LVBS/T977JZGJjRvTw4j0H+xAXiLFwQ1I/6v6fSZzxDMt9k=
> =+4M1
> -----END PGP SIGNATURE-----



-- 
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0



  reply	other threads:[~2020-11-30 16:08 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-24 12:03 Xen Security Advisory 355 v2 - stack corruption from XSA-346 change Xen.org security team
2020-11-30 16:07 ` Mauro Matteo Cascella [this message]
2020-11-30 16:10   ` [oss-security] " Andrew Cooper

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAA8xKjWY2+xo57n8hsvG6yMyhs6nAH+S4NbCsEJLWEVff_aWzg@mail.gmail.com \
    --to=mcascell@redhat.com \
    --cc=oss-security@lists.openwall.com \
    --cc=security-team-members@xen.org \
    --cc=xen-announce@lists.xen.org \
    --cc=xen-devel@lists.xen.org \
    --cc=xen-users@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).