XSA-95

CVE-2014-3714 CVE-2014-3715 CVE-2014-3716 CVE-2014-3717


问题描述

http://xenbits.xen.org/xsa/advisory-95.html

input handling vulnerabilities loading guest kernel on ARM

When loading a 32-bit ARM guest kernel the Xen tools did not correctly validate the length of the kernel against the actual image size. This would then lead to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3714).

Furthermore when checking a 32-bit guest kernel for an appended DTB, the Xen tools were prone to additional overruns also leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3715). Also, the tools would access a field in the putative DTB header without checking for its alignment (CVE-2014-3716).

When loading a 64-bit ARM guest kernel the tools similarly did not fully validate the requested load addresses, possibly leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3717).

在xen tool load image的时候,没有验证kernel的length,导致buffer overflow(CVE-2014-3714,CVE-2014-3717); 另外,还有其他的buffer overflow(CVE-2014-3715),以及在未检查alignment的时候访问某些field(CVE-2014-3716);

buffer overflow


Patch描述

http://xenbits.xen.org/xsa/xsa95.patch

We need to validate the limits of the segment where we intend to load the kernel to avoid overflow issues.

For ARM32 we control the load address, but we need to validate the size.

For ARM64 we need to validate both the load address (which is the same as the entry point) and the size.

就是增加一些check。


Consequence

An attacker who can control the kernel used to boot a guest can exploit these issues.

Exploiting the overflow issues allows information which follows the guest kernel in the toolstack address space to be copied into the guest’s memory, constituting an information leak.

Alternatively either the overflow or alignment issues could be used to crash the toolstack process, leading to a denial of service.

information leak, DoS