-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 # MirageOS Security Advisory (MirageOS-SA-00.mirage-net-xen) Topic: Memory disclosure in mirage-net-xen Module: mirage-net-xen Announced: 2016-05-03 Credits: Enguerrand Decorne, Thomas Leonard, Hannes Mehnert, Mindy Preston Affects: mirage-net-xen <1.4.2 Corrected: 2016-01-08 1.5.0 release 2016-05-03 1.4.2 release For general information regarding MirageOS Security Advisories, please visit [https://mirage.io/security](https://mirage.io/security). I. Background MirageOS is a library operating system using cooperative multitasking, which can be executed as a guest of the Xen hypervisor. Virtual devices, such as a network device, share memory between MirageOS and the hypervisor. MirageOS allocates and grants the hypervisor access to a ringbuffer containing pages to be sent on the network device, and another ringbuffer with pages to be filled with received data. A write on the MirageOS side consists of filling the page with the packet data, submitting a write request to the hypervisor, and awaiting a response from the hypervisor. To correlate the request with the response, a 16bit identifier is used. II. Problem Description Generating this 16bit identifier was not done in a unique manner. When multiple pages share an identifier, and are requested to be transmitted via the wire, the first successful response will mark all pages with this identifier free, even those still waiting to be transmitted. Once marked free, the MirageOS application fills the page for another chunk of data. This leads to corrupted packets being sent, and can lead to disclosure of memory intended for another recipient. III. Impact This issue discloses memory intended for another recipient. All versions before mirage-net-xen 1.4.2 are affected. The receiving side uses a similar mechanism, which may lead to corrupted incoming data (eventually even mutated while being processed). Version 1.5.0, released on 8th January, already assigns unique identifiers for transmission. Received pages are copied into freshly allocated buffers before passed to the next layer. When 1.5.0 was released, the impact was not clear to us. Version 1.6.1 now additionally ensures that received pages have a unique identifier. IV. Workaround No workaround is available. V. Solution The unique identifier is now generated in a unique manner using a monotonic counter. Transmitting corrupt data and disclosing memory is fixed in versions 1.4.2 and above. The recommended way to upgrade is: `opam update ; opam upgrade mirage-net-xen` Or, explicitly: `opam upgrade ; opam reinstall mirage-net-xen=1.4.2` Affected releases have been marked uninstallable in the opam repository. VI. Correction details The following list contains the correction revision numbers for each affected branch. Memory disclosure on transmit: master: 47de2edfad9c56110d98d0312c1a7e0b9dcc8fbf 1.4 : ec9b1046b75cba5ae3473b2d3b223c3d1284489d Corrupt data while receiving: master: 0b1e53c0875062a50e2d5823b7da0d8e0a64dc37 1.4 : 6daad38af2f0b5c58d6c1fb24252c3eed737ede4 VII. References [mirage-net-xen](https://github.com/mirage/mirage-net-xen) You can find the latest version of this advisory online at [https://mirage.io/blog/MSA00](https://mirage.io/blog/MSA00). This advisory is signed using OpenPGP, you can verify the signature by downloading our public key from a keyserver (`gpg --recv-key 4A732D757C0EDA74`), downloading the raw markdown source of this advisory from [GitHub](https://raw.githubusercontent.com/mirage/mirage-www/master/tmpl/advisories/00.txt.asc) and executing `gpg --verify 00.md.asc`. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCQAGBQJXKXvxAAoJEEpzLXV8Dtp0SmAP/2b83niR/4zlZIUmCVze6BX4 RNzYzr/vXLa+P2jhyCIggV+EE13OBZtPFEjir8ZKr6hq2EgNUv3XgwhEqNpceJGI d/WlN0eAw/J1EwxvmBMKe28nYEoQVrMt8hBZw5vZKwnCDcK/J6lkI5PaV5xs1wFn oxVHQD8HeDu18UYSVKvGLSEl/VDJcpe3zGwtcCMgN/4ySdBC6vT0zc2tKbZHQK12 +/FzoEMXOnJlZUXqlvJQnd9hqlulO1t5SqXfpbfSD9wdfWog3Fk+5d03k6YBEmYL am8zJwWmYBUZ2btJvSZ0AJhD76td5BSDv/1KFm24YFA84aJHfbQAIvpdlgx3hGRF NZmQod1oJSNsXDAjiAORX8ZDGoK7m5NNUQntmrJs+RW8jfOai97/3T7W5sMEeCZz nxJkmDWPhpW7ngYQW1te/M2gHYXqMGuyabU6sdv2hb1QB7FqXsBzETb/dhwAOLKy FOH+kA6twCMp+lHDSb/jCujByH59OsD9zrC4A9nl6MwzyC3xCvBJGx+10SbHhjAP fs4IXhAYemVbhah8vX1y6Z5Qi5PbLQh+yfPcs+vv7vwbMxWC0jHl98jQatpQrd1s 6iftCjOJV7Gi8OHaTz8wKTF2TGRzR7hwUiiP/5V4UPgS5B4UNDXNfcygBXvuUZ4L lGIbyJT7GcmZcN05z2My =SSAL -----END PGP SIGNATURE-----