[xen/f20] Information leak via internal x86 system device emulation [XSA-121, CVE-2015-2044] Information leak

Fri Mar 6 00:20:15 UTC 2015

commit d6234ae89b2449c96311d41d315b74a8b29725eb
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Fri Mar 6 00:19:25 2015 +0000

    Information leak via internal x86 system device emulation [XSA-121, CVE-2015-2044]
    Information leak through version information hypercall [XSA-122, CVE-2015-2045]

 xen.spec     | 12 +++++++++++-
 xsa121.patch | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 xsa122.patch | 40 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 102 insertions(+), 1 deletion(-)
---

diff --git a/xen.spec b/xen.spec
index 23df955..96c43a5 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.3.3
-Release: 9%{?dist}
+Release: 10%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -118,6 +118,8 @@ Patch34: xl.migrate.debug.fail.patch
 Patch35: xsa114-4.3.patch
 Patch36: xl.migrate.debug.fail.fix.patch
 Patch37: xsa116-4.3-4.2.patch
+Patch38: xsa121.patch
+Patch39: xsa122.patch
 
 
 Patch100: xen-configure-xend.patch
@@ -320,6 +322,8 @@ manage Xen virtual machines.
 %patch35 -p1
 %patch36 -p1
 %patch37 -p1
+%patch38 -p1
+%patch39 -p1
 
 %patch100 -p1
 
@@ -893,6 +897,12 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Thu Mar 05 2015 Michael Young <m.a.young at durham.ac.uk> - 4.3.3-10
+- Information leak via internal x86 system device emulation [XSA-121,
+	CVE-2015-2044]
+- Information leak through version information hypercall [XSA-122,
+	CVE-2015-2045]
+
 * Tue Jan 06 2015 Michael Young <m.a.young at durham.ac.uk> - 4.3.3-9
 - xen crash due to use after free on hvm guest teardown [XSA-116,
 	CVE-2015-0361] (#1179221)
diff --git a/xsa121.patch b/xsa121.patch
new file mode 100644
index 0000000..f3d1397
--- /dev/null
+++ b/xsa121.patch
@@ -0,0 +1,51 @@
+x86/HVM: return all ones on wrong-sized reads of system device I/O ports
+
+So far the value presented to the guest remained uninitialized.
+
+This is CVE-2015-2044 / XSA-121.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Ian Campbell <ian.campbell at citrix.com>
+
+--- a/xen/arch/x86/hvm/i8254.c
++++ b/xen/arch/x86/hvm/i8254.c
+@@ -486,6 +486,7 @@ static int handle_pit_io(
+     if ( bytes != 1 )
+     {
+         gdprintk(XENLOG_WARNING, "PIT bad access\n");
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+ 
+--- a/xen/arch/x86/hvm/pmtimer.c
++++ b/xen/arch/x86/hvm/pmtimer.c
+@@ -213,6 +213,7 @@ static int handle_pmt_io(
+     if ( bytes != 4 )
+     {
+         gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n");
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+     
+--- a/xen/arch/x86/hvm/rtc.c
++++ b/xen/arch/x86/hvm/rtc.c
+@@ -703,7 +703,8 @@ static int handle_rtc_io(
+ 
+     if ( bytes != 1 )
+     {
+-        gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n");
++        gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n");
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+     
+--- a/xen/arch/x86/hvm/vpic.c
++++ b/xen/arch/x86/hvm/vpic.c
+@@ -331,6 +331,7 @@ static int vpic_intercept_pic_io(
+     if ( bytes != 1 )
+     {
+         gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes);
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+ 
diff --git a/xsa122.patch b/xsa122.patch
new file mode 100644
index 0000000..1e58965
--- /dev/null
+++ b/xsa122.patch
@@ -0,0 +1,40 @@
+pre-fill structures for certain HYPERVISOR_xen_version sub-ops
+
+... avoiding to pass hypervisor stack contents back to the caller
+through space unused by the respective strings.
+
+This is CVE-2015-2045 / XSA-122.
+
+Signed-off-by: Aaron Adams <Aaron.Adams at nccgroup.com>
+Acked-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Ian Campbell <ian.campbell at citrix.com>
+
+--- a/xen/common/kernel.c
++++ b/xen/common/kernel.c
+@@ -240,6 +240,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+     case XENVER_extraversion:
+     {
+         xen_extraversion_t extraversion;
++
++        memset(extraversion, 0, sizeof(extraversion));
+         safe_strcpy(extraversion, xen_extra_version());
+         if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) )
+             return -EFAULT;
+@@ -249,6 +251,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+     case XENVER_compile_info:
+     {
+         struct xen_compile_info info;
++
++        memset(&info, 0, sizeof(info));
+         safe_strcpy(info.compiler,       xen_compiler());
+         safe_strcpy(info.compile_by,     xen_compile_by());
+         safe_strcpy(info.compile_domain, xen_compile_domain());
+@@ -284,6 +288,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+     case XENVER_changeset:
+     {
+         xen_changeset_info_t chgset;
++
++        memset(chgset, 0, sizeof(chgset));
+         safe_strcpy(chgset, xen_changeset());
+         if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) )
+             return -EFAULT;
