From 5e8735d15b096bb2f7b6127547e3c5191c721567 Mon Sep 17 00:00:00 2001 From: Michael Young Date: Dec 21 2016 23:03:16 +0000 Subject: qemu ioport array overflow [XSA-199, CVE-2016-9637] two security flaws (#1406840) x86 PV guests may be able to mask interrupts [XSA-202, CVE-2016-10024] x86: missing NULL pointer check in VMFUNC emulation [XSA-203, CVE-2016-10025] x86: Mishandling of SYSCALL singlestep during emulation [XSA-204, CVE-2016-10013] (#1406260) --- diff --git a/xen.spec b/xen.spec index 4db1996..e125a95 100644 --- a/xen.spec +++ b/xen.spec @@ -41,7 +41,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.8.0 -Release: 1%{?dist} +Release: 2%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -104,6 +104,10 @@ Patch44: qemu.git-4774718e5c194026ba5ee7a28d9be49be3080e42.patch Patch45: qemu.git-702dbcc274e2ca43be20ba64c758c0ca57dab91d.patch Patch46: qemu.git-971f406b77a6eb84e0ad27dcc416b663765aee30.patch Patch47: qemu.git-898ae90a44551d25b8e956fd87372d303c82fe68.patch +Patch48: xsa199-trad.patch +Patch49: xsa202.patch +Patch50: xsa203-4.8.patch +Patch51: xsa204-4.8.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel @@ -303,6 +307,9 @@ manage Xen virtual machines. %patch25 -p1 %patch26 -p1 %patch28 -p1 +%patch49 -p1 +%patch50 -p1 +%patch51 -p1 # qemu-xen-traditional patches pushd tools/qemu-xen-traditional @@ -310,6 +317,7 @@ pushd tools/qemu-xen-traditional %patch33 -p1 %patch35 -p1 %patch43 -p1 +%patch48 -p1 popd # qemu-xen patches @@ -831,6 +839,14 @@ rm -rf %{buildroot} %endif %changelog +* Wed Dec 21 2016 Michael Young - 4.8.0-2 +- qemu ioport array overflow [XSA-199, CVE-2016-9637] +- two security flaws (#1406840) + x86 PV guests may be able to mask interrupts [XSA-202, CVE-2016-10024] + x86: missing NULL pointer check in VMFUNC emulation [XSA-203, CVE-2016-10025] +- x86: Mishandling of SYSCALL singlestep during emulation [XSA-204, + CVE-2016-10013] (#1406260) + * Wed Dec 07 2016 Michael Young - 4.8.0-1 - update to xen-4.8.0 (#1401490) includes fix for [XSA-201, CVE-2016-9815, CVE-2016-9816, CVE-2016-9817, diff --git a/xsa199-trad.patch b/xsa199-trad.patch new file mode 100644 index 0000000..19ecbdc --- /dev/null +++ b/xsa199-trad.patch @@ -0,0 +1,88 @@ +From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001 +From: Ian Jackson +Date: Mon, 14 Nov 2016 17:19:46 +0000 +Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit + addresses + +On x86, ioport addresses are 16-bit. That these functions take 32-bit +arguments is a mistake. Changing the argument type to 16-bit will +discard the top bits of any erroneous values from elsewhere in qemu. + +Also, check just before use that the value is in range. (This turns +an ill-advised change to MAX_IOPORTS into a possible guest crash +rather than a privilege escalation vulnerability.) + +And, in the Xen ioreq processor, clamp incoming ioport addresses to +16-bit values. Xen will never write >16-bit values but the guest may +have access to the ioreq ring. We want to defend the rest of the qemu +code from wrong values. + +This is XSA-199. + +Reported-by: yanghongke +Signed-off-by: Ian Jackson +--- + i386-dm/helper2.c | 2 ++ + vl.c | 9 +++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c +index 2706f2e..5d276bb 100644 +--- a/i386-dm/helper2.c ++++ b/i386-dm/helper2.c +@ -379,6 +379,7 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req) + fprintf(stderr, "PIO: bad size (%u)\n", req->size); + exit(-1); + } ++ req->addr &= 0x0ffffU; + + if (req->dir == IOREQ_READ) { + if (!req->data_is_ptr) { +diff --git a/vl.c b/vl.c +index f9c4d7e..c3c5d63 100644 +--- a/vl.c ++++ b/vl.c +@@ -52,6 +52,7 @@ + + #include + ++#include + #include + #include + #include +@@ -290,26 +291,30 @@ PicState2 *isa_pic; + static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl; + static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel; + +-static uint32_t ioport_read(int index, uint32_t address) ++static uint32_t ioport_read(int index, uint16_t address) + { + static IOPortReadFunc *default_func[3] = { + default_ioport_readb, + default_ioport_readw, + default_ioport_readl + }; ++ if (address >= MAX_IOPORTS) ++ abort(); + IOPortReadFunc *func = ioport_read_table[index][address]; + if (!func) + func = default_func[index]; + return func(ioport_opaque[address], address); + } + +-static void ioport_write(int index, uint32_t address, uint32_t data) ++static void ioport_write(int index, uint16_t address, uint32_t data) + { + static IOPortWriteFunc *default_func[3] = { + default_ioport_writeb, + default_ioport_writew, + default_ioport_writel + }; ++ if (address >= MAX_IOPORTS) ++ abort(); + IOPortWriteFunc *func = ioport_write_table[index][address]; + if (!func) + func = default_func[index]; +-- +2.1.4 + diff --git a/xsa202.patch b/xsa202.patch new file mode 100644 index 0000000..51d38dc --- /dev/null +++ b/xsa202.patch @@ -0,0 +1,75 @@ +From: Jan Beulich +Subject: x86: force EFLAGS.IF on when exiting to PV guests + +Guest kernels modifying instructions in the process of being emulated +for another of their vCPU-s may effect EFLAGS.IF to be cleared upon +next exiting to guest context, by converting the being emulated +instruction to CLI (at the right point in time). Prevent any such bad +effects by always forcing EFLAGS.IF on. And to cover hypothetical other +similar issues, also force EFLAGS.{IOPL,NT,VM} to zero. + +This is XSA-202. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +--- + +--- a/xen/arch/x86/x86_64/compat/entry.S ++++ b/xen/arch/x86/x86_64/compat/entry.S +@@ -109,6 +109,8 @@ compat_process_trap: + /* %rbx: struct vcpu, interrupts disabled */ + ENTRY(compat_restore_all_guest) + ASSERT_INTERRUPTS_DISABLED ++ mov $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11d ++ and UREGS_eflags(%rsp),%r11d + .Lcr4_orig: + .skip .Lcr4_alt_end - .Lcr4_alt, 0x90 + .Lcr4_orig_end: +@@ -144,6 +146,8 @@ ENTRY(compat_restore_all_guest) + (.Lcr4_orig_end - .Lcr4_orig), \ + (.Lcr4_alt_end - .Lcr4_alt) + .popsection ++ or $X86_EFLAGS_IF,%r11 ++ mov %r11d,UREGS_eflags(%rsp) + RESTORE_ALL adj=8 compat=1 + .Lft0: iretq + _ASM_PRE_EXTABLE(.Lft0, handle_exception) +--- a/xen/arch/x86/x86_64/entry.S ++++ b/xen/arch/x86/x86_64/entry.S +@@ -40,28 +40,29 @@ restore_all_guest: + testw $TRAP_syscall,4(%rsp) + jz iret_exit_to_guest + ++ movq 24(%rsp),%r11 # RFLAGS ++ andq $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11 ++ orq $X86_EFLAGS_IF,%r11 ++ + /* Don't use SYSRET path if the return address is not canonical. */ + movq 8(%rsp),%rcx + sarq $47,%rcx + incl %ecx + cmpl $1,%ecx +- ja .Lforce_iret ++ movq 8(%rsp),%rcx # RIP ++ ja iret_exit_to_guest + + cmpw $FLAT_USER_CS32,16(%rsp)# CS +- movq 8(%rsp),%rcx # RIP +- movq 24(%rsp),%r11 # RFLAGS + movq 32(%rsp),%rsp # RSP + je 1f + sysretq + 1: sysretl + +-.Lforce_iret: +- /* Mimic SYSRET behavior. */ +- movq 8(%rsp),%rcx # RIP +- movq 24(%rsp),%r11 # RFLAGS + ALIGN + /* No special register assumptions. */ + iret_exit_to_guest: ++ andl $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),24(%rsp) ++ orl $X86_EFLAGS_IF,24(%rsp) + addq $8,%rsp + .Lft0: iretq + _ASM_PRE_EXTABLE(.Lft0, handle_exception) diff --git a/xsa203-4.8.patch b/xsa203-4.8.patch new file mode 100644 index 0000000..c9661a4 --- /dev/null +++ b/xsa203-4.8.patch @@ -0,0 +1,19 @@ +From: Jan Beulich +Subject: x86/HVM: add missing NULL check before using VMFUNC hook + +This is XSA-203. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/hvm/emulate.c ++++ b/xen/arch/x86/hvm/emulate.c +@@ -1694,6 +1694,8 @@ static int hvmemul_vmfunc( + { + int rc; + ++ if ( !hvm_funcs.altp2m_vcpu_emulate_vmfunc ) ++ return X86EMUL_UNHANDLEABLE; + rc = hvm_funcs.altp2m_vcpu_emulate_vmfunc(ctxt->regs); + if ( rc != X86EMUL_OKAY ) + hvmemul_inject_hw_exception(TRAP_invalid_op, HVM_DELIVER_NO_ERROR_CODE, diff --git a/xsa204-4.8.patch b/xsa204-4.8.patch new file mode 100644 index 0000000..360296b --- /dev/null +++ b/xsa204-4.8.patch @@ -0,0 +1,57 @@ +From: Andrew Cooper +Date: Sun, 18 Dec 2016 15:42:59 +0000 +Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL + +A singlestep #DB is determined by the resulting eflags value from the +execution of SYSCALL, not the original eflags value. + +By using the original eflags value, we negate the guest kernels attempt to +protect itself from a privilege escalation by masking TF. + +Have the SYSCALL emulation recalculate tf after the instruction is complete. + +This is XSA-204 + +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +--- + xen/arch/x86/x86_emulate/x86_emulate.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c +index d82e85d..ff952a9 100644 +--- a/xen/arch/x86/x86_emulate/x86_emulate.c ++++ b/xen/arch/x86/x86_emulate/x86_emulate.c +@@ -4561,6 +4561,23 @@ x86_emulate( + (rc = ops->write_segment(x86_seg_ss, &sreg, ctxt)) ) + goto done; + ++ /* ++ * SYSCALL (unlike most instructions) evaluates its singlestep action ++ * based on the resulting EFLG_TF, not the starting EFLG_TF. ++ * ++ * As the #DB is raised after the CPL change and before the OS can ++ * switch stack, it is a large risk for privilege escalation. ++ * ++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any ++ * vulnerability. Running the #DB handler on an IST stack is also a ++ * mitigation. ++ * ++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only ++ * mitigation is to use a task gate for handling #DB (or to not use ++ * enable EFER.SCE to start with). ++ */ ++ tf = _regs.eflags & EFLG_TF; ++ + break; + } + +@@ -5412,7 +5429,7 @@ x86_emulate( + + *ctxt->regs = _regs; + +- /* Inject #DB if single-step tracing was enabled at instruction start. */ ++ /* Should a singlestep #DB be raised? */ + if ( tf && (rc == X86EMUL_OKAY) && ops->inject_hw_exception ) + rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION; +