[xen] Two security fixes from nested virtualization CVE-2013-0151 CVE-2013-0152, restore status option to

myoung myoung at fedoraproject.org
Tue Jan 22 22:24:10 UTC 2013 

commit 66141b2e068fa39f28bdda6be05882e323663687
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Tue Jan 22 22:22:10 2013 +0000

    Two security fixes from nested virtualization CVE-2013-0151 CVE-2013-0152,
    restore status option to xend which is used by libvirt

 xen-initscript.patch       |    9 +++++----
 xen.spec                   |   12 +++++++++++-
 xsa34-4.2.patch            |   30 ++++++++++++++++++++++++++++++
 xsa35-4.2-with-xsa34.patch |   24 ++++++++++++++++++++++++
 4 files changed, 70 insertions(+), 5 deletions(-)
---
diff --git a/xen-initscript.patch b/xen-initscript.patch
index e01384e..b0112e5 100644
--- a/xen-initscript.patch
+++ b/xen-initscript.patch
@@ -1,6 +1,6 @@
---- xen-4.1.0/tools/misc/xend.orig	2010-02-02 20:43:01.000000000 +0000
-+++ xen-4.1.0/tools/misc/xend	2010-02-02 21:16:13.000000000 +0000
-@@ -8,103 +8,16 @@
+--- xen-4.2.1/tools/misc/xend.orig	2012-12-17 15:01:18.000000000 +0000
++++ xen-4.2.1/tools/misc/xend	2013-01-22 21:26:39.387953003 +0000
+@@ -8,103 +8,18 @@
  """Xen management daemon.
     Provides console server and HTTP management api.
  
@@ -97,7 +97,8 @@
 -        start_blktapctrl()
 -        return daemon.stop() or daemon.start()
 -    elif sys.argv[1] == 'status':
--        return daemon.status()
++    if sys.argv[1:] and sys.argv[1] == 'status':
+         return daemon.status()
 -    else:
 -        print 'not an option:', sys.argv[1]
 -    return 1
diff --git a/xen.spec b/xen.spec
index 1e072a1..901c8f5 100644
--- a/xen.spec
+++ b/xen.spec
@@ -27,7 +27,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.2.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -76,6 +76,8 @@ Patch49: xen.fedora.efi.build.patch
 Patch55: qemu-xen.trad.buildfix.patch
 Patch56: xen.fedora19.buildfix.patch
 Patch57: xsa33-4.2-unstable.patch
+Patch58: xsa34-4.2.patch
+Patch59: xsa35-4.2-with-xsa34.patch
 Patch61: xsa37-4.2.patch
 Patch62: man.formatting.patch
 Patch63: xsa41.patch
@@ -245,6 +247,8 @@ manage Xen virtual machines.
 %patch55 -p1
 %patch56 -p1
 %patch57 -p1
+%patch58 -p1
+%patch59 -p1
 %patch61 -p1
 %patch62 -p1
 %patch63 -p1
@@ -737,6 +741,12 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Tue Jan 22 2013 Michael Young <m.a.young at durham.ac.uk> - 4.2.1-5
+- nested virtualization on 32-bit guest can crash host [XSA-34,
+  CVE-2013-0151] also nested HVM on guest can cause host to run out
+  of memory [XSA-35, CVE-2013-0152] (#902792)
+- restore status option to xend which is used by libvirt (#893699)
+
 * Thu Jan 17 2013 Michael Young <m.a.young at durham.ac.uk> - 4.2.1-4
 - Buffer overflow when processing large packets in qemu e1000 device
   driver [XSA-41, CVE-2012-6075]
diff --git a/xsa34-4.2.patch b/xsa34-4.2.patch
new file mode 100644
index 0000000..f5328ef
--- /dev/null
+++ b/xsa34-4.2.patch
@@ -0,0 +1,30 @@
+x86_32: don't allow use of nested HVM
+
+There are (indirect) uses of map_domain_page() in the nested HVM code
+that are unsafe when not just using the 1:1 mapping.
+
+This is XSA-34 / CVE-2013-0151.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
+                     rc = -EINVAL;
+                 break;
+             case HVM_PARAM_NESTEDHVM:
++#ifdef __i386__
++                if ( a.value )
++                    rc = -EINVAL;
++#else
+                 if ( a.value > 1 )
+                     rc = -EINVAL;
+                 if ( !is_hvm_domain(d) )
+@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
+                     for_each_vcpu(d, v)
+                         if ( rc == 0 )
+                             rc = nestedhvm_vcpu_initialise(v);
++#endif
+                 break;
+             case HVM_PARAM_BUFIOREQ_EVTCHN:
+                 rc = -EINVAL;
diff --git a/xsa35-4.2-with-xsa34.patch b/xsa35-4.2-with-xsa34.patch
new file mode 100644
index 0000000..28c6171
--- /dev/null
+++ b/xsa35-4.2-with-xsa34.patch
@@ -0,0 +1,24 @@
+xen: Do not allow guests to enable nested HVM on themselves
+
+There is no reason for this and doing so exposes a memory leak to
+guests. Only toolstacks need write access to this HVM param.
+
+This is XSA-35 / CVE-2013-0152.
+
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+Acked-by: Jan Beulich <JBeulich at suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3862,6 +3862,11 @@ long do_hvm_op(unsigned long op, XEN_GUE
+                     rc = -EINVAL;
+                 break;
+             case HVM_PARAM_NESTEDHVM:
++                if ( !IS_PRIV(current->domain) )
++                {
++                    rc = -EPERM;
++                    break;
++                }
+ #ifdef __i386__
+                 if ( a.value )
+                     rc = -EINVAL;

More information about the scm-commits mailing list