From owner-svn-ports-head@freebsd.org Sun Dec 4 19:35:15 2016 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8CDB2C676FD; Sun, 4 Dec 2016 19:35:15 +0000 (UTC) (envelope-from junovitch@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5561FBBE; Sun, 4 Dec 2016 19:35:15 +0000 (UTC) (envelope-from junovitch@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uB4JZEt7065094; Sun, 4 Dec 2016 19:35:14 GMT (envelope-from junovitch@FreeBSD.org) Received: (from junovitch@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uB4JZEbD065092; Sun, 4 Dec 2016 19:35:14 GMT (envelope-from junovitch@FreeBSD.org) Message-Id: <201612041935.uB4JZEbD065092@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: junovitch set sender to junovitch@FreeBSD.org using -f From: Jason Unovitch Date: Sun, 4 Dec 2016 19:35:14 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r427795 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2016 19:35:15 -0000 Author: junovitch Date: Sun Dec 4 19:35:14 2016 New Revision: 427795 URL: https://svnweb.freebsd.org/changeset/ports/427795 Log: Document Xen Security Advisories (XSAs 185-188, 190-195, 197-198) PR: 214936 Security: CVE-2016-7092 Security: CVE-2016-7093 Security: CVE-2016-7094 Security: CVE-2016-7154 Security: CVE-2016-7777 Security: CVE-2016-9379 Security: CVE-2016-9380 Security: CVE-2016-9381 Security: CVE-2016-9382 Security: CVE-2016-9383 Security: CVE-2016-9384 Security: CVE-2016-9385 Security: CVE-2016-9386 Security: https://vuxml.FreeBSD.org/freebsd/45ca25b5-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/49211361-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/4aae54be-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/4d7cf654-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/50ac2e96-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/523bb0b7-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/53dbd096-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/5555120d-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/56f0f11e-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/58685e23-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/59f79c99-ba4d-11e6-ae1b-002590263bf5.html Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Dec 4 18:41:05 2016 (r427794) +++ head/security/vuxml/vuln.xml Sun Dec 4 19:35:14 2016 (r427795) @@ -58,6 +58,444 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + xen-tools -- delimiter injection vulnerabilities in pygrub + + + xen-tools + 4.7.1 + + + + +

The Xen Project reports:

+
+

pygrub, the boot loader emulator, fails to quote (or sanity check) + its results when reporting them to its caller.

+

A malicious guest administrator can obtain the contents of + sensitive host files (an information leak). Additionally, a + malicious guest administrator can cause files on the host to be + removed, causing a denial of service. In some unusual host + configurations, ability to remove certain files may be useable for + privilege escalation.

+
+ + + + CVE-2016-9379 + CVE-2016-9380 + ports/214936 + https://xenbits.xen.org/xsa/advisory-198.html + + + 2016-11-22 + 2016-12-04 + + + + + xen-tools -- qemu incautious about shared ring processing + + + xen-tools + 4.7.1 + + + + +

The Xen Project reports:

+
+

The compiler can emit optimizations in qemu which can lead to + double fetch vulnerabilities. Specifically data on the rings shared + between qemu and the hypervisor (which the guest under control can + obtain mappings of) can be fetched twice (during which time the + guest can alter the contents) possibly leading to arbitrary code + execution in qemu.

+

Malicious administrators can exploit this vulnerability to take + over the qemu process, elevating its privilege to that of the qemu + process.

+

In a system not using a device model stub domain (or other + techniques for deprivileging qemu), malicious guest administrators + can thus elevate their privilege to that of the host.

+
+ + + + CVE-2016-9381 + ports/214936 + https://xenbits.xen.org/xsa/advisory-197.html + + + 2016-11-22 + 2016-12-04 + + + + + xen-kernel -- x86 64-bit bit test instruction emulation broken + + + xen-kernel + 4.7.1 + + + + +

The Xen Project reports:

+
+

The x86 instructions BT, BTC, BTR, and BTS, when used with a + destination memory operand and a source register rather than an + immediate operand, access a memory location offset from that + specified by the memory operand as specified by the high bits of + the register source.

+

A malicious guest can modify arbitrary memory, allowing for + arbitrary code execution (and therefore privilege escalation + affecting the whole host), a crash of the host (leading to a DoS), + or information leaks. The vulnerability is sometimes exploitable + by unprivileged guest user processes.

+
+ + + + CVE-2016-9383 + ports/214936 + https://xenbits.xen.org/xsa/advisory-195.html + + + 2016-11-22 + 2016-12-04 + + + + + xen-kernel -- guest 32-bit ELF symbol table load leaking host data + + + xen-kernel + 4.74.7.1 + + + + +

The Xen Project reports:

+
+

Along with their main kernel binary, unprivileged guests may + arrange to have their Xen environment load (kernel) symbol tables + for their use. The ELF image metadata created for this purpose has a + few unused bytes when the symbol table binary is in 32-bit ELF + format. These unused bytes were not properly cleared during symbol + table loading.

+

A malicious unprivileged guest may be able to obtain sensitive + information from the host.

+

The information leak is small and not under the control of the + guest, so effectively exploiting this vulnerability is probably + difficult.

+
+ + + + CVE-2016-9384 + ports/214936 + https://xenbits.xen.org/xsa/advisory-194.html + + + 2016-11-22 + 2016-12-04 + + + + + xen-kernel -- x86 segment base write emulation lacking canonical address checks + + + xen-kernel + 4.44.7.1 + + + + +

The Xen Project reports:

+
+

Both writes to the FS and GS register base MSRs as well as the + WRFSBASE and WRGSBASE instructions require their input values to be + canonical, or a #GP fault will be raised. When the use of those + instructions by the hypervisor was enabled, the previous guard + against #GP faults (having recovery code attached) was accidentally + removed.

+

A malicious guest administrator can crash the host, leading to a + DoS.

+
+ + + + CVE-2016-9385 + ports/214936 + https://xenbits.xen.org/xsa/advisory-193.html + + + 2016-11-22 + 2016-12-04 + + + + + xen-kernel -- x86 task switch to VM86 mode mis-handled + + + xen-kernel + 4.7.1 + + + + +

The Xen Project reports:

+
+

LDTR, just like TR, is purely a protected mode facility. Hence even + when switching to a VM86 mode task, LDTR loading needs to follow + protected mode semantics. This was violated by the code.

+

On SVM (AMD hardware): a malicious unprivileged guest process can + escalate its privilege to that of the guest operating system.

+

On both SVM and VMX (Intel hardware): a malicious unprivileged + guest process can crash the guest.

+
+ + + + CVE-2016-9382 + ports/214936 + https://xenbits.xen.org/xsa/advisory-192.html + + + 2016-11-22 + 2016-12-04 + + + + + xen-kernel -- x86 null segments not always treated as unusable + + + xen-kernel + 4.7.1 + + + + +

The Xen Project reports:

+
+

The Xen x86 emulator erroneously failed to consider the unusability + of segments when performing memory accesses.

+

The intended behaviour is as follows: The user data segment (%ds, + %es, %fs and %gs) selectors may be NULL in 32-bit to prevent access. + In 64-bit, NULL has a special meaning for user segments, and there + is no way of preventing access. However, in both 32-bit and 64-bit, + a NULL LDT system segment is intended to prevent access.

+

On Intel hardware, loading a NULL selector zeros the base as well + as most attributes, but sets the limit field to its largest possible + value. On AMD hardware, loading a NULL selector zeros the attributes, + leaving the stale base and limit intact.

+

Xen may erroneously permit the access using unexpected base/limit + values.

+

Ability to exploit this vulnerability on Intel is easy, but on AMD + depends in a complicated way on how the guest kernel manages LDTs. +

+

An unprivileged guest user program may be able to elevate its + privilege to that of the guest operating system.

+
+ + + + CVE-2016-9386 + ports/214936 + https://xenbits.xen.org/xsa/advisory-191.html + + + 2016-11-22 + 2016-12-04 + + + + + xen-kernel -- CR0.TS and CR0.EM not always honored for x86 HVM guests + + + xen-kernel + 4.7.1 + + + + +

The Xen Project reports:

+
+

Instructions touching FPU, MMX, or XMM registers are required to + raise a Device Not Available Exception (#NM) when either CR0.EM or + CR0.TS are set. (Their AVX or AVX-512 extensions would consider only + CR0.TS.) While during normal operation this is ensured by the + hardware, if a guest modifies instructions while the hypervisor is + preparing to emulate them, the #NM delivery could be missed.

+

Guest code in one task may thus (unintentionally or maliciously) + read or modify register state belonging to another task in the same + VM.

+

A malicious unprivileged guest user may be able to obtain or + corrupt sensitive information (including cryptographic material) in + other programs in the same guest.

+
+ + + + CVE-2016-7777 + ports/214936 + https://xenbits.xen.org/xsa/advisory-190.html + + + 2016-10-04 + 2016-12-04 + + + + + xen-kernel -- use after free in FIFO event channel code + + + xen-kernel + 4.44.5 + + + + +

The Xen Project reports:

+
+

When the EVTCHNOP_init_control operation is called with a bad guest + frame number, it takes an error path which frees a control structure + without also clearing the corresponding pointer. Certain subsequent + operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control), + upon finding the non-NULL pointer, continue operation assuming it + points to allocated memory.

+

A malicious guest administrator can crash the host, leading to a + DoS. Arbitrary code execution (and therefore privilege escalation), + and information leaks, cannot be excluded.

+
+ + + + CVE-2016-7154 + ports/214936 + https://xenbits.xen.org/xsa/advisory-188.html + + + 2016-09-08 + 2016-12-04 + + + + + xen-kernel -- x86 HVM: Overflow of sh_ctxt->seg_reg[] + + + xen-kernel + 4.7.1 + + + + +

The Xen Project reports:

+
+

x86 HVM guests running with shadow paging use a subset of the x86 + emulator to handle the guest writing to its own pagetables. There + are situations a guest can provoke which result in exceeding the + space allocated for internal state.

+

A malicious HVM guest administrator can cause Xen to fail a bug + check, causing a denial of service to the host.

+
+ + + + CVE-2016-7094 + ports/214936 + https://xenbits.xen.org/xsa/advisory-187.html + + + 2016-09-08 + 2016-12-04 + + + + + xen-kernel -- x86: Mishandling of instruction pointer truncation during emulation + + + xen-kernel + 4.5.3 + 4.6.3 + 4.7.04.7.1 + + + + +

The Xen Project reports:

+
+

When emulating HVM instructions, Xen uses a small i-cache for + fetches from guest memory. The code that handles cache misses does + not check if the address from which it fetched lies within the cache + before blindly writing to it. As such it is possible for the guest + to overwrite hypervisor memory.

+

It is currently believed that the only way to trigger this bug is + to use the way that Xen currently incorrectly wraps CS:IP in 16 bit + modes. The included patch prevents such wrapping.

+

A malicious HVM guest administrator can escalate their privilege to + that of the host.

+
+ + + + CVE-2016-7093 + ports/214936 + https://xenbits.xen.org/xsa/advisory-186.html + + + 2016-09-08 + 2016-12-04 + + + + + xen-kernel -- x86: Disallow L3 recursive pagetable for 32-bit PV guests + + + xen-kernel + 4.7.1 + + + + +

The Xen Project reports:

+
+

On real hardware, a 32-bit PAE guest must leave the USER and RW bit + clear in L3 pagetable entries, but the pagetable walk behaves as if + they were set. (The L3 entries are cached in processor registers, + and don't actually form part of the pagewalk.)

+

When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR + in the USER and RW bits for L3 updates for the guest to observe + architectural behaviour. This is unsafe in combination with + recursive pagetables.

+

As there is no way to construct an L3 recursive pagetable in native + 32-bit PAE mode, disallow this option in 32-bit PV guests.

+

A malicious 32-bit PV guest administrator can escalate their + privilege to that of the host.

+
+ + + + CVE-2016-7092 + ports/214936 + https://xenbits.xen.org/xsa/advisory-185.html + + + 2016-09-08 + 2016-12-04 + + + wireshark -- multiple vulnerabilities