Bug 1289128 (CVE-2015-8551, CVE-2015-8552, xsa157)
Summary: | CVE-2015-8551 CVE-2015-8552 xsa157 xen: Linux pciback missing sanity checks leading to crash (XSA-157) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ailan, dhoward, drjones, fhrbata, imammedo, knoel, lwang, m.a.young, mguzik, mrezanin, nmurray, pbonzini, plougher, rkrcmar, rvrbovsk, security-response-team, vkuznets, xen-maint |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-03-07 10:41:57 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1292439 | ||
Bug Blocks: | 1290367 |
Description
Martin Prpič
2015-12-07 13:55:10 UTC
(In reply to Martin Prpic from comment #0) > ISSUE DESCRIPTION > ================= > > Xen PCI backend driver does not perform proper sanity checks on the > device's state. > > Which in turn allows the generic MSI code (called by Xen PCI backend) to be > called incorrectly leading to hitting BUG conditions or causing NULL pointer > exceptions in the MSI code. This was assigned CVE-2015-8551. > > To exploit this the guest can craft specific sequence of XEN_PCI_OP_* > operations which will trigger this. > > Furthermore the frontend can also craft an continous stream of > XEN_PCI_OP_enable_msi which will trigger an continous > stream of WARN() messages triggered by the MSI code leading to the logging > in the initial domain to exhaust disk space. This was assigned CVE-2015-8552. > > Lastly there is also missing check to verify whether the device has > memory decoding enabled set at the start of the day leading the initial > domain "accesses to the respective MMIO or I/O port ranges would - - on PCI > Express devices - [which can] lead to Unsupported Request responses. > The treatment of such errors is platform specific." (from XSA-120). > Note that if XSA-120 'addendum' patch has been applied this particular > sub-issue is not exploitable. This was assigned CVE-2015-8553. "UPDATES IN VERSION 3 ==================== Removed CVE-2015-8553 from the title of this advisory. We will issue an update to XSA-120 which documents the assignment of CVE-2015-8553 to the XSA-120 v5+ addendum patch." CVE-2015-8553 has been re-assigned to bug 1196266 (XSA-120). Created xen tracking bugs for this issue: Affects: fedora-all [bug 1292439] The xsa157 patches are for the xen drivers within the kernel, not for the xen package. |