[xen] Information leak via internal x86 system device emulation [XSA-121, CVE-2015-2044] Information leak
myoung
myoung at fedoraproject.org
Thu Mar 5 20:19:12 UTC 2015
commit 7901978a11b997fcffe496ff60407c9b478507db
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Thu Mar 5 20:18:27 2015 +0000
Information leak via internal x86 system device emulation [XSA-121, CVE-2015-2044]
Information leak through version information hypercall [XSA-122, CVE-2015-2045]
fix a typo in xen.fedora.systemd.patch
xen.fedora.systemd.patch | 2 +-
xen.spec | 13 +++++++++++-
xsa121.patch | 51 ++++++++++++++++++++++++++++++++++++++++++++++++
xsa122.patch | 40 +++++++++++++++++++++++++++++++++++++
4 files changed, 104 insertions(+), 2 deletions(-)
---
diff --git a/xen.fedora.systemd.patch b/xen.fedora.systemd.patch
index 26c8a8f..0f26a1c 100644
--- a/xen.fedora.systemd.patch
+++ b/xen.fedora.systemd.patch
@@ -114,7 +114,7 @@ diff -uN xen-4.5.0/tools/hotplug/Linux/systemd.orig/xenstored.service.in xen-4.5
hotplug/Linux/init.d/xen-watchdog
hotplug/Linux/init.d/xencommons
hotplug/Linux/init.d/xendomains
-+otplug/Linux/systemd/oxenstored.service
++hotplug/Linux/systemd/oxenstored.service
hotplug/Linux/systemd/proc-xen.mount
hotplug/Linux/systemd/var-lib-xenstored.mount
-hotplug/Linux/systemd/xen-init-dom0.service
diff --git a/xen.spec b/xen.spec
index eddde91..26addaf 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.5.0
-Release: 2%{?dist}
+Release: 3%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -88,6 +88,8 @@ Patch19: xsa118-4.5-unstable-1.patch
Patch20: xsa118-4.5-unstable-2.patch
Patch21: xsa117.patch
Patch22: xen.gcc5.fix.patch
+Patch23: xsa121.patch
+Patch24: xsa122.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel
@@ -275,6 +277,8 @@ manage Xen virtual machines.
%patch20 -p1
%patch21 -p1
%patch22 -p1
+%patch23 -p1
+%patch24 -p1
# stubdom sources
cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom
@@ -779,6 +783,13 @@ rm -rf %{buildroot}
%endif
%changelog
+* Thu Mar 05 2015 Michael Young <m.a.young at durham.ac.uk> - 4.5.0-3
+- Information leak via internal x86 system device emulation [XSA-121,
+ CVE-2015-2044]
+- Information leak through version information hypercall [XSA-122,
+ CVE-2015-2045]
+- fix a typo in xen.fedora.systemd.patch
+
* Sat Feb 14 2015 Michael Young <m.a.young at durham.ac.uk> - 4.5.0-2
- arm: vgic-v2: GICD_SGIR is not properly emulated [XSA-117, CVE-2015-0268]
- allow certain warnings with gcc5 that would otherwise be treated as errors
diff --git a/xsa121.patch b/xsa121.patch
new file mode 100644
index 0000000..f3d1397
--- /dev/null
+++ b/xsa121.patch
@@ -0,0 +1,51 @@
+x86/HVM: return all ones on wrong-sized reads of system device I/O ports
+
+So far the value presented to the guest remained uninitialized.
+
+This is CVE-2015-2044 / XSA-121.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Ian Campbell <ian.campbell at citrix.com>
+
+--- a/xen/arch/x86/hvm/i8254.c
++++ b/xen/arch/x86/hvm/i8254.c
+@@ -486,6 +486,7 @@ static int handle_pit_io(
+ if ( bytes != 1 )
+ {
+ gdprintk(XENLOG_WARNING, "PIT bad access\n");
++ *val = ~0;
+ return X86EMUL_OKAY;
+ }
+
+--- a/xen/arch/x86/hvm/pmtimer.c
++++ b/xen/arch/x86/hvm/pmtimer.c
+@@ -213,6 +213,7 @@ static int handle_pmt_io(
+ if ( bytes != 4 )
+ {
+ gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n");
++ *val = ~0;
+ return X86EMUL_OKAY;
+ }
+
+--- a/xen/arch/x86/hvm/rtc.c
++++ b/xen/arch/x86/hvm/rtc.c
+@@ -703,7 +703,8 @@ static int handle_rtc_io(
+
+ if ( bytes != 1 )
+ {
+- gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n");
++ gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n");
++ *val = ~0;
+ return X86EMUL_OKAY;
+ }
+
+--- a/xen/arch/x86/hvm/vpic.c
++++ b/xen/arch/x86/hvm/vpic.c
+@@ -331,6 +331,7 @@ static int vpic_intercept_pic_io(
+ if ( bytes != 1 )
+ {
+ gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes);
++ *val = ~0;
+ return X86EMUL_OKAY;
+ }
+
diff --git a/xsa122.patch b/xsa122.patch
new file mode 100644
index 0000000..1e58965
--- /dev/null
+++ b/xsa122.patch
@@ -0,0 +1,40 @@
+pre-fill structures for certain HYPERVISOR_xen_version sub-ops
+
+... avoiding to pass hypervisor stack contents back to the caller
+through space unused by the respective strings.
+
+This is CVE-2015-2045 / XSA-122.
+
+Signed-off-by: Aaron Adams <Aaron.Adams at nccgroup.com>
+Acked-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Ian Campbell <ian.campbell at citrix.com>
+
+--- a/xen/common/kernel.c
++++ b/xen/common/kernel.c
+@@ -240,6 +240,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+ case XENVER_extraversion:
+ {
+ xen_extraversion_t extraversion;
++
++ memset(extraversion, 0, sizeof(extraversion));
+ safe_strcpy(extraversion, xen_extra_version());
+ if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) )
+ return -EFAULT;
+@@ -249,6 +251,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+ case XENVER_compile_info:
+ {
+ struct xen_compile_info info;
++
++ memset(&info, 0, sizeof(info));
+ safe_strcpy(info.compiler, xen_compiler());
+ safe_strcpy(info.compile_by, xen_compile_by());
+ safe_strcpy(info.compile_domain, xen_compile_domain());
+@@ -284,6 +288,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+ case XENVER_changeset:
+ {
+ xen_changeset_info_t chgset;
++
++ memset(chgset, 0, sizeof(chgset));
+ safe_strcpy(chgset, xen_changeset());
+ if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) )
+ return -EFAULT;
More information about the scm-commits
mailing list