RHSA-2013:0496

[oss-security] 20130116 [PATCH] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.

[oss-security] 20130116 Xen Security Advisory 40 (CVE-2013-0190) - Linux stack corruption in xen_failsafe_callback for 32bit PVOPS guests.

57433

USN-1725-1

USN-1728-1

https://bugzilla.redhat.com/show_bug.cgi?id=896038

The remote OracleVM system is missing necessary patches to address critical security updates :

  - x86/xen: don't assume %ds is usable in xen_iret for     32-bit PVOPS. (Chuck Anderson) [Orabug: 16325076]     [CVE-2013-0228 XSA-42 CVE-2013-0190]

The remote OracleVM system is missing necessary patches to address critical security updates :

  - xen-pciback: rate limit error messages from     xen_pcibk_enable_msi[,x] (Jan Beulich) [Orabug:
    16243736] (CVE-2013-0231)

  - Xen: Fix stack corruption in xen_failsafe_callback for     32bit PVOPS guests. (Frediano Ziglio) [Orabug: 16274171]     (CVE-2013-0190)

  - netback: correct netbk_tx_err to handle wrap around.
    (Ian Campbell) [Orabug: 16243309] (CVE-2013-0216     CVE-2013-0217)

  - xen/netback: free already allocated memory on failure in     xen_netbk_get_requests (Ian Campbell) [Orabug: 16243309]     (CVE-2013-0216 CVE-2013-0217)

  - xen/netback: don't leak pages on failure in     xen_netbk_tx_check_gop. (Ian Campbell) [Orabug:
    16243309] (CVE-2013-0216 CVE-2013-0217)

  - xen/netback: shutdown the ring if it contains garbage.
    (Ian Campbell) [Orabug: 16243309] (CVE-2013-0216     CVE-2013-0217)

  - e1000e: Avoid wrong check on TX hang (Jeff Kirsher)     [Orabug: 15834316]

The remote OracleVM system is missing necessary patches to address critical security updates :

  - kmod: make __request_module killable (Oleg Nesterov)     [Orabug: 16286305] (CVE-2012-4398)

  - kmod: introduce call_modprobe helper (Oleg Nesterov)     [Orabug: 16286305] (CVE-2012-4398)

  - usermodehelper: implement UMH_KILLABLE (Oleg Nesterov)     [Orabug: 16286305] (CVE-2012-4398)

  - usermodehelper: introduce umh_complete(sub_info) (Oleg     Nesterov) [Orabug: 16286305] (CVE-2012-4398)

  - KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE     bit set (CVE-2012-4461) (Jerry Snitselaar) [Orabug:
    16286290] (CVE-2012-4461)

  - exec: do not leave bprm->interp on stack (Kees Cook)     [Orabug: 16286267] (CVE-2012-4530)

  - exec: use -ELOOP for max recursion depth (Kees Cook)     [Orabug: 16286267] (CVE-2012-4530)

  - xen-pciback: rate limit error messages from     xen_pcibk_enable_msi[,x] (Jan Beulich) [Orabug:
    16243736] (CVE-2013-0231)

  - Xen: Fix stack corruption in xen_failsafe_callback for     32bit PVOPS guests. (Frediano Ziglio) [Orabug: 16274171]     (CVE-2013-0190)

  - netback: correct netbk_tx_err to handle wrap around.
    (Ian Campbell) [Orabug: 16243309]

  - xen/netback: free already allocated memory on failure in     xen_netbk_get_requests (Ian Campbell) [Orabug: 16243309]

  - xen/netback: don't leak pages on failure in     xen_netbk_tx_check_gop. (Ian Campbell) [Orabug:
    16243309]

  - xen/netback: shutdown the ring if it contains garbage.
    (Ian Campbell) [Orabug: 16243309]

  - ixgbevf fix typo in Makefile (Maxim Uvarov) [Orabug:
    16179639 16168292]

The xen_failsafe_callback function in Xen for the Linux kernel 2.6.23 and other versions, when running a 32-bit PVOPS guest, allows local users to cause a denial of service (guest crash) by triggering an iret fault, leading to use of an incorrect stack pointer and stack corruption.

The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).

Description of changes:

kernel-uek [2.6.32-300.39.4.el6uek]
- exec: do not leave bprm->interp on stack (Kees Cook) [Orabug: 16286741]    {CVE-2012-4530}
- exec: use -ELOOP for max recursion depth (Kees Cook) [Orabug: 16286741]    {CVE-2012-4530}

[2.6.32-300.39.3.el6uek]
- Xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
   (Frediano Ziglio) [Orabug: 16274192] {CVE-2013-0190}

Description of changes:

[2.6.39-300.28.1.el6uek]
- kmod: make __request_module() killable (Oleg Nesterov) [Orabug: 16286305]    {CVE-2012-4398}
- kmod: introduce call_modprobe() helper (Oleg Nesterov) [Orabug: 16286305]    {CVE-2012-4398}
- usermodehelper: implement UMH_KILLABLE (Oleg Nesterov) [Orabug: 16286305]    {CVE-2012-4398}
- usermodehelper: introduce umh_complete(sub_info) (Oleg Nesterov) [Orabug:
   16286305] {CVE-2012-4398}
- KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit set    (CVE-2012-4461) (Jerry Snitselaar) [Orabug: 16286290] {CVE-2012-4461}
- exec: do not leave bprm->interp on stack (Kees Cook) [Orabug: 16286267]    {CVE-2012-4530}
- exec: use -ELOOP for max recursion depth (Kees Cook) [Orabug: 16286267]    {CVE-2012-4530}

[2.6.39-300.27.1.el6uek]
- xen-pciback: rate limit error messages from xen_pcibk_enable_msi{,x}() (Jan    Beulich) [Orabug: 16243736] {CVE-2013-0231}
- Xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
   (Frediano Ziglio) [Orabug: 16274171] {CVE-2013-0190}
- netback: correct netbk_tx_err to handle wrap around. (Ian Campbell) [Orabug:
   16243309]
- xen/netback: free already allocated memory on failure in    xen_netbk_get_requests (Ian Campbell) [Orabug: 16243309]
- xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop. (Ian    Campbell) [Orabug: 16243309]
- xen/netback: shutdown the ring if it contains garbage. (Ian Campbell)    [Orabug: 16243309]
- ixgbevf fix typo in Makefile (Maxim Uvarov) [Orabug: 16179639 16168292]

From Red Hat Security Advisory 2013:0496 :

Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 6. This is the fourth regular update.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A race condition was found in the way asynchronous I/O and fallocate() interacted when using the ext4 file system. A local, unprivileged user could use this flaw to expose random data from an extent whose data blocks have not yet been written, and thus contain data from a deleted file. (CVE-2012-4508, Important)

* A flaw was found in the way the vhost kernel module handled descriptors that spanned multiple regions. A privileged guest user in a KVM guest could use this flaw to crash the host or, potentially, escalate their privileges on the host. (CVE-2013-0311, Important)

* It was found that the default SCSI command filter does not accommodate commands that overlap across device classes. A privileged guest user could potentially use this flaw to write arbitrary data to a LUN that is passed-through as read-only. (CVE-2012-4542, Moderate)

* A flaw was found in the way the xen_failsafe_callback() function in the Linux kernel handled the failed iret (interrupt return) instruction notification from the Xen hypervisor. An unprivileged user in a 32-bit para-virtualized guest could use this flaw to crash the guest. (CVE-2013-0190, Moderate)

* A flaw was found in the way pmd_present() interacted with PROT_NONE memory ranges when transparent hugepages were in use. A local, unprivileged user could use this flaw to crash the system.
(CVE-2013-0309, Moderate)

* A flaw was found in the way CIPSO (Common IP Security Option) IP options were validated when set from user mode. A local user able to set CIPSO IP options on the socket could use this flaw to crash the system. (CVE-2013-0310, Moderate)

Red Hat would like to thank Theodore Ts'o for reporting CVE-2012-4508, and Andrew Cooper of Citrix for reporting CVE-2013-0190. Upstream acknowledges Dmitry Monakhov as the original reporter of CVE-2012-4508. The CVE-2012-4542 issue was discovered by Paolo Bonzini of Red Hat.

This update also fixes several hundred bugs and adds enhancements.
Refer to the Red Hat Enterprise Linux 6.4 Release Notes for information on the most significant of these changes, and the Technical Notes for further information, both linked to in the References.

All Red Hat Enterprise Linux 6 users are advised to install these updated packages, which correct these issues, and fix the bugs and add the enhancements noted in the Red Hat Enterprise Linux 6.4 Release Notes and Technical Notes. The system must be rebooted for this update to take effect.

Andrew Cooper of Citrix reported a Xen stack corruption in the Linux kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest kernel to crash, or operate erroneously. (CVE-2013-0190)

A failure to validate input was discovered in the Linux kernel's Xen netback (network backend) driver. A user in a guest OS may exploit this flaw to cause a denial of service to the guest OS and other guest domains. (CVE-2013-0216)

A memory leak was discovered in the Linux kernel's Xen netback (network backend) driver. A user in a guest OS could trigger this flaw to cause a denial of service on the system. (CVE-2013-0217)

A flaw was discovered in the Linux kernel Xen PCI backend driver. If a PCI device is assigned to the guest OS, the guest OS could exploit this flaw to cause a denial of service on the host. (CVE-2013-0231)

A flaw was reported in the permission checks done by the Linux kernel for /dev/cpu/*/msr. A local root user with all capabilities dropped could exploit this flaw to execute code with full root capabilities.
(CVE-2013-0268)

Tommi Rantala discovered a flaw in the a flaw the Linux kernels handling of datagrams packets when the MSG_PEEK flag is specified. An unprivileged local user could exploit this flaw to cause a denial of service (system hang). (CVE-2013-0290)

A flaw was discovered in the Linux kernel's vhost driver used to accelerate guest networking in KVM based virtual machines. A privileged guest user could exploit this flaw to crash the host system. (CVE-2013-0311)

A flaw was discovered in the Extended Verification Module (EVM) of the Linux kernel. An unprivileged local user code exploit this flaw to cause a denial of service (system crash). (CVE-2013-0313)

An information leak was discovered in the Linux kernel's Bluetooth stack when HIDP (Human Interface Device Protocol) support is enabled.
A local unprivileged user could exploit this flaw to cause an information leak from the kernel. (CVE-2013-0349).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Andrew Cooper of Citrix reported a Xen stack corruption in the Linux kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest kernel to crash, or operate erroneously. (CVE-2013-0190)

A failure to validate input was discovered in the Linux kernel's Xen netback (network backend) driver. A user in a guest OS may exploit this flaw to cause a denial of service to the guest OS and other guest domains. (CVE-2013-0216)

A memory leak was discovered in the Linux kernel's Xen netback (network backend) driver. A user in a guest OS could trigger this flaw to cause a denial of service on the system. (CVE-2013-0217)

Andrew Jones discovered a flaw with the xen_iret function in Linux kernel's Xen virtualizeation. In the 32-bit Xen paravirt platform an unprivileged guest OS user could exploit this flaw to cause a denial of service (crash the system) or gain guest OS privilege.
(CVE-2013-0228)

A flaw was discovered in the Linux kernel Xen PCI backend driver. If a PCI device is assigned to the guest OS, the guest OS could exploit this flaw to cause a denial of service on the host. (CVE-2013-0231)

A flaw was reported in the permission checks done by the Linux kernel for /dev/cpu/*/msr. A local root user with all capabilities dropped could exploit this flaw to execute code with full root capabilities.
(CVE-2013-0268)

A flaw was discovered in the Linux kernel's vhost driver used to accelerate guest networking in KVM based virtual machines. A privileged guest user could exploit this flaw to crash the host system. (CVE-2013-0311)

A flaw was discovered in the Extended Verification Module (EVM) of the Linux kernel. An unprivileged local user code exploit this flaw to cause a denial of service (system crash). (CVE-2013-0313)

An information leak was discovered in the Linux kernel's Bluetooth stack when HIDP (Human Interface Device Protocol) support is enabled.
A local unprivileged user could exploit this flaw to cause an information leak from the kernel. (CVE-2013-0349)

A flaw was discovered in the Edgeort USB serial converter driver when the device is disconnected while it is in use. A local user could exploit this flaw to cause a denial of service (system crash).
(CVE-2013-1774).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 6. This is the fourth regular update.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A race condition was found in the way asynchronous I/O and fallocate() interacted when using the ext4 file system. A local, unprivileged user could use this flaw to expose random data from an extent whose data blocks have not yet been written, and thus contain data from a deleted file. (CVE-2012-4508, Important)

* A flaw was found in the way the vhost kernel module handled descriptors that spanned multiple regions. A privileged guest user in a KVM guest could use this flaw to crash the host or, potentially, escalate their privileges on the host. (CVE-2013-0311, Important)

* It was found that the default SCSI command filter does not accommodate commands that overlap across device classes. A privileged guest user could potentially use this flaw to write arbitrary data to a LUN that is passed-through as read-only. (CVE-2012-4542, Moderate)

* A flaw was found in the way the xen_failsafe_callback() function in the Linux kernel handled the failed iret (interrupt return) instruction notification from the Xen hypervisor. An unprivileged user in a 32-bit para-virtualized guest could use this flaw to crash the guest. (CVE-2013-0190, Moderate)

* A flaw was found in the way pmd_present() interacted with PROT_NONE memory ranges when transparent hugepages were in use. A local, unprivileged user could use this flaw to crash the system.
(CVE-2013-0309, Moderate)

* A flaw was found in the way CIPSO (Common IP Security Option) IP options were validated when set from user mode. A local user able to set CIPSO IP options on the socket could use this flaw to crash the system. (CVE-2013-0310, Moderate)

Red Hat would like to thank Theodore Ts'o for reporting CVE-2012-4508, and Andrew Cooper of Citrix for reporting CVE-2013-0190. Upstream acknowledges Dmitry Monakhov as the original reporter of CVE-2012-4508. The CVE-2012-4542 issue was discovered by Paolo Bonzini of Red Hat.

This update also fixes several hundred bugs and adds enhancements.
Refer to the Red Hat Enterprise Linux 6.4 Release Notes for information on the most significant of these changes, and the Technical Notes for further information, both linked to in the References.

All Red Hat Enterprise Linux 6 users are advised to install these updated packages, which correct these issues, and fix the bugs and add the enhancements noted in the Red Hat Enterprise Linux 6.4 Release Notes and Technical Notes. The system must be rebooted for this update to take effect.

Andrew Cooper of Citrix reported a Xen stack corruption in the Linux kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest kernel to crash, or operate erroneously.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that hypervkvpd, which is distributed in the Linux kernel, was not correctly validating the origin on Netlink messages.
An untrusted local user can cause a denial of service of Linux guests in Hyper-V virtualization environments. (CVE-2012-2669)

Dmitry Monakhov reported a race condition flaw the Linux ext4 filesystem that can expose stale data. An unprivileged user could exploit this flaw to cause an information leak. (CVE-2012-4508)

Florian Weimer discovered that hypervkvpd, which is distributed in the Linux kernel, was not correctly validating source addresses of netlink packets. An untrusted local user can cause a denial of service by causing hypervkvpd to exit. (CVE-2012-5532)

Andrew Cooper of Citrix reported a Xen stack corruption in the Linux kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest kernel to crash, or operate erroneously. (CVE-2013-0190).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that hypervkvpd, which is distributed in the Linux kernel, was not correctly validating the origin on Netlink messages.
An untrusted local user can cause a denial of service of Linux guests in Hyper-V virtualization environments. (CVE-2012-2669)

Dmitry Monakhov reported a race condition flaw the Linux ext4 filesystem that can expose stale data. An unprivileged user could exploit this flaw to cause an information leak. (CVE-2012-4508)

Andrew Cooper of Citrix reported a Xen stack corruption in the Linux kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest kernel to crash, or operate erroneously. (CVE-2013-0190).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Rebase to Linux v3.7.3. A large number of bug fixes across the entire tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update contains a security fix for users running 32bit PVOPS xen guests (CVE-2013-0190) and a number of smaller fixes from the stable queue

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2013-0496.

ID	Name	Product	Family	Severity
79501	OracleVM 3.2 : kernel-uek (OVMSA-2013-0015)	Nessus	OracleVM Local Security Checks	medium
79499	OracleVM 3.1 : kernel-uek (OVMSA-2013-0010)	Nessus	OracleVM Local Security Checks	medium
79497	OracleVM 3.2 : kernel-uek (OVMSA-2013-0008)	Nessus	OracleVM Local Security Checks	medium
69713	Amazon Linux AMI : kernel / nvidia (ALAS-2013-154)	Nessus	Amazon Linux Local Security Checks	medium
68855	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2525)	Nessus	Oracle Linux Local Security Checks	high
68847	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2507)	Nessus	Oracle Linux Local Security Checks	high
68846	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2504)	Nessus	Oracle Linux Local Security Checks	medium
68845	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2503)	Nessus	Oracle Linux Local Security Checks	medium
68739	Oracle Linux 6 : kernel (ELSA-2013-0496)	Nessus	Oracle Linux Local Security Checks	medium
65611	Ubuntu 12.10 : linux vulnerabilities (USN-1769-1)	Nessus	Ubuntu Local Security Checks	medium
65610	Ubuntu 12.04 LTS : linux-lts-quantal vulnerabilities (USN-1768-1)	Nessus	Ubuntu Local Security Checks	medium
65609	Ubuntu 12.04 LTS : linux vulnerabilities (USN-1767-1)	Nessus	Ubuntu Local Security Checks	medium
65171	RHEL 6 : kernel (RHSA-2013:0496)	Nessus	Red Hat Local Security Checks	medium
65134	CentOS 6 : kernel (CESA-2013:0496)	Nessus	CentOS Local Security Checks	medium
64681	Ubuntu 10.04 LTS : linux-ec2 vulnerability (USN-1728-1)	Nessus	Ubuntu Local Security Checks	medium
64640	Ubuntu 10.04 LTS : linux vulnerability (USN-1725-1)	Nessus	Ubuntu Local Security Checks	medium
64618	Ubuntu 11.10 : linux vulnerabilities (USN-1720-1)	Nessus	Ubuntu Local Security Checks	medium
64617	Ubuntu 10.04 LTS : linux-lts-backport-oneiric vulnerabilities (USN-1719-1)	Nessus	Ubuntu Local Security Checks	medium
64088	Fedora 17 : kernel-3.7.3-101.fc17 (2013-1025)	Nessus	Fedora Local Security Checks	medium
63625	Fedora 18 : kernel-3.7.2-204.fc18 (2013-0952)	Nessus	Fedora Local Security Checks	medium
801535	CentOS RHSA-2013-0496 Security Check	Log Correlation Engine	Generic	high

CVE-2013-0190

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

medium

medium

high

high

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

high