960861 – (CVE-2016-1570) VUL-0: CVE-2016-1570: xen: PV superpage functionality missing sanity checks (XSA-167)

Bug 960861 (CVE-2016-1570) - VUL-0: CVE-2016-1570: xen: PV superpage functionality missing sanity checks (XSA-167)

Summary: VUL-0: CVE-2016-1570: xen: PV superpage functionality missing sanity checks (...

Status:	RESOLVED FIXED

Alias:	CVE-2016-1570

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:RedHat:CVE-2016-1570:6.0:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-01-06 14:58 UTC by Alexander Bergmann
Modified:	2017-05-11 00:45 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 4 Swamp Workflow Management 2016-01-06 23:00:58 UTC

bugbot adjusting priority

Comment 9 Johannes Segitz 2016-01-20 13:41:27 UTC

            Xen Security Advisory CVE-2016-1570 / XSA-167
                              version 4

            PV superpage functionality missing sanity checks

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

The PV superpage functionality lacks certain validity checks on data
being passed to the hypervisor by guests.  This is the case for the
page identifier (MFN) passed to MMUEXT_MARK_SUPER and
MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as
well as for various forms of page table updates.

IMPACT
======

Use of the feature, which is disabled by default, may have unknown
effects, ranging from information leaks through Denial of Service to
privilege escalation.

VULNERABLE SYSTEMS
==================

Only systems which enable the PV superpage feature are affected.  That
is, only systems with an `allowsuperpage' setting on the hypervisor
command line.  Note that in Xen 4.0.x and 3.4.x the option is named
`allowhugepage'.

Xen versions 3.4.0, 3.4.1, and from 4.1 onwards are affected.

Only x86 systems are affected.

Only PV guests can exploit the vulnerability.

MITIGATION
==========

Running only HVM guests will avoid this issue.
Not enabling PV superpage support (by omitting the `allowsuperpage' or
`allowhugepage' hypervisor command line options) will avoid exposing
the issue.

CREDITS
=======

This issue was discovered by Qinghao Tang of 360 Marvel Team.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa167.patch           xen-unstable
xsa167-4.6.patch       Xen 4.6.x, 4.5.x
xsa167-4.4.patch       Xen 4.4.x, 4.3.x

$ sha256sum xsa167*
a71f709eef59425cb2113fa48d3b44048c6bf41063200fee1c847f6e0ed45a09  xsa167.patch
194c1ce89292f4cbb9980baa703095bcbeb5849abf46d193e07a98a0d8301f78  xsa167-4.4.patch
2bd786cccfd13c6732d6db8afc9e18058465efcb1bc93f894c359e3a820d5403  xsa167-4.6.patch

Comment 10 Charles Arnold 2016-02-27 00:37:46 UTC

This bug may be included in one or more of the
submissions listed below.

SUSE:SLE-12-SP1:Update: 98638
SUSE:SLE-12:Update: 98642
SUSE:SLE-11-SP4:Update: 98646
SUSE:SLE-11-SP3:Update: 98650
SUSE:SLE-11-SP2:Update: 98654
SUSE:SLE-11-SP1:Update:Teradata: 98658
SUSE:SLE-11-SP1:Update: 98662
SUSE:SLE-10-SP4:Update:Test: 98666
SUSE:SLE-10-SP3:Update:Test: 98670

openSUSE:Factory: 362063
openSUSE:Leap:42.1:Update: 362057
openSUSE:13.2:Update: 362060

Comment 11 Swamp Workflow Management 2016-03-24 12:14:20 UTC

SUSE-SU-2016:0873-1: An update that solves 43 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 864391,864655,864769,864805,864811,877642,897654,901508,902737,924018,928393,945404,945989,954872,956829,957162,957698,957988,958007,958009,958491,958523,958917,959005,959332,959387,959695,960334,960707,960725,960835,960861,960862,961332,961358,961691,962320,963782,963923,964413,965315,965317,967012,967013,967969,969121,969122,969350
CVE References: CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-7549,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538,CVE-2016-2841
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.2_06-7.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.2_06-7.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.2_06-7.1

Comment 12 Swamp Workflow Management 2016-04-01 11:16:59 UTC

openSUSE-SU-2016:0914-1: An update that solves 26 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 864391,864655,864769,864805,877642,901508,902737,924018,928393,945404,945989,954872,956829,957162,957698,959332,959695,960334,960707,960725,960835,960861,961332,961358,961691,963782,963923,964413,967012,967013,967969
CVE References: CVE-2013-4533,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-8345,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2016-1568,CVE-2016-1570,CVE-2016-1714,CVE-2016-1981,CVE-2016-2198,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.2_06-12.1

Product List: openSUSE Leap 42.1

Comment 13 Swamp Workflow Management 2016-04-05 15:13:28 UTC

SUSE-SU-2016:0955-1: An update that solves 46 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 864391,864655,864673,864678,864682,864769,864805,864811,877642,897654,901508,902737,924018,928393,945404,945989,954872,956829,957162,957988,958007,958009,958491,958523,958917,959005,959387,959695,959928,960334,960707,960725,960835,960861,960862,961332,961358,961691,962320,963782,963923,964413,965315,965317,967012,967013,967630,967969,969121,969122,969350
CVE References: CVE-2013-4527,CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-7549,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538,CVE-2016-2841
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_02-32.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_02-32.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    xen-4.4.4_02-32.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_02-32.1

Comment 14 Swamp Workflow Management 2016-04-08 17:11:54 UTC

openSUSE-SU-2016:0995-1: An update that fixes 33 vulnerabilities is now available.

Category: security (important)
Bug References: 944463,944697,945989,956829,960334,960707,960725,960835,960861,960862,961332,961358,961691,962335,962360,962611,962627,962632,962642,962758,963782,964413,964431,964452,964644,964925,964929,964950,965156,965315,965317,967012,967969
CVE References: CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5239,CVE-2015-5278,CVE-2015-6815,CVE-2015-6855,CVE-2015-7512,CVE-2015-8345,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1981,CVE-2016-2198,CVE-2016-2270,CVE-2016-2271,CVE-2016-2392,CVE-2016-2538
Sources used:
openSUSE 13.2 (src):    xen-4.4.4_02-43.1

Comment 15 Swamp Workflow Management 2016-04-26 14:11:51 UTC

SUSE-SU-2016:1154-1: An update that solves 26 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 864391,864655,864769,864805,864811,877642,897654,901508,902737,945989,957162,957988,958007,958009,958491,958523,959005,960707,960725,960861,960862,961691,963782,965315,965317,967013,967630,969350
CVE References: CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2015-5278,CVE-2015-7512,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8743,CVE-2015-8745,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1981,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2841
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    xen-4.1.6_08-26.1

Comment 16 Swamp Workflow Management 2016-05-17 16:10:09 UTC

SUSE-SU-2016:1318-1: An update that solves 45 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 954872,956832,957988,958007,958009,958493,958523,958918,959006,959387,959695,960707,960726,960836,960861,960862,961332,961358,961692,962321,962335,962360,962611,962627,962632,962642,962758,963783,963923,964415,964431,964452,964644,964746,964925,964929,964947,964950,965112,965156,965269,965315,965317,967090,967101,968004,969125,969126
CVE References: CVE-2013-4527,CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-7549,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.4_02-22.19.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.4_02-22.19.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.4_02-22.19.1

Comment 17 Swamp Workflow Management 2016-07-06 09:16:46 UTC

SUSE-SU-2016:1745-1: An update that solves 35 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 864391,864655,864673,864678,864682,864769,864805,864811,877642,897654,901508,902737,928393,945404,945989,954872,956829,957162,957988,958007,958009,958491,958523,959005,959695,959928,960707,960725,960861,960862,961332,961691,963782,965315,965317,967012,967013,967630,967969,969350
CVE References: CVE-2013-4527,CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8743,CVE-2015-8745,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1981,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538,CVE-2016-2841
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_20-24.9
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_20-24.9

Comment 18 Johannes Segitz 2016-07-19 13:16:01 UTC

fixed everywhere