[MirageOS-devel] MirageOS Security Announcement 01: information disclosure in netchannel version 1.10.0

[Mindy Preston]

All,

The MirageOS security team has published MirageOS Security Announcement 
#01, a memory disclosure in outgoing packets in netchannel version 
1.10.0, to the MirageOS website. The announcement can be found at 
https://mirage.io/blog/MSA01 .  A copy signed with the security team's 
key is also available in the mirage-www git repository (hosted at 
https://github.com/mirage/mirage-www) in /tmpl/advisories/01.txt.asc , 
and reproduced below for your convenience.

Please don't hesitate to reply on-list or directly with any questions 
about this announcement.

As always, if you think you have discovered a security vulnerability, 
please contact the MirageOS security team at secur...@mirage.io .

A list of relevant announcements, including MSA01, is available at 
https://mirage.io/security .

Thank you,

Mindy Preston


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

## MirageOS Security Advisory 01 - memory disclosure in mirage-net-xen

- - Module:       netchannel
- - Announced:    2019-03-21
- - Credits:      Thomas Leonard, Hannes Mehnert, Mindy Preston
- - Affects:      netchannel = 1.10.0
- - Corrected:    2019-03-20 1.10.1 release

For general information regarding MirageOS Security Advisories,
please visit [https://mirage.io/security](https://mirage.io/security).

### Background

MirageOS is a library operating system using cooperative multitasking, 
which can
be executed as a guest of the Xen hypervisor.  Virtual devices, such as a
network device, share memory between MirageOS and the hypervisor. To 
maintain
adequate performance, the virtual device managing network communication 
between
MirageOS and the Xen hypervisor maintains a shared pool of pages and reuses
them for write requests.

### Problem Description

In version 1.10.0 of netchannel, the API for handling network requests
changed to provide higher-level network code with an interface for 
writing into
memory directly.  As part of this change, code paths which exposed 
memory taken
from the shared page pool did not ensure that previous data had been 
cleared
from the buffer.  This error resulted in memory which the user did not
overwrite staying resident in the buffer, and potentially being sent as 
part of
unrelated network communication.

The mirage-tcpip library, which provides interfaces for higher-level 
operations
like IPv4 and TCP header writes, assumes that buffers into which it 
writes have
been zeroed, and therefore may not explicitly write some fields which 
are always
zero.  As a result, some packets written with netchannel v1.10.0 which were
passed to mirage-tcpip with nonzero data will have incorrect checksums
calculated and will be discarded by the receiver.

### Impact

This issue discloses memory intended for another recipient and corrupts 
packets.
Only version 1.10.0 of netchannel is affected.  Version 1.10.1 fixes 
this issue.

Version 1.10.0 was available for less than one month and many upstream users
had not yet updated their own API calls to use it.  In particular, no 
version of
qubes-mirage-firewall or its dependency mirage-nat compatible with version
1.10.0 was released.

### Workaround

No workaround is available.

### Solution

Transmitting corrupt data and disclosing memory is fixed in version 1.10.1.

The recommended way to upgrade is:
```bash
opam update
opam upgrade netchannel
```

Or, explicitly:
```bash
opam upgrade
opam reinstall netchannel=1.10.1
```

Affected releases (version 1.10.0 of netchannel and mirage-net-xen) have 
been marked uninstallable in the opam repository.

### Correction details

The following list contains the correction revision numbers for each
affected branch.

Memory disclosure on transmit:

master: 
[6c7a13a5dae0f58dcc0653206a73fa3d8174b6d2](https://github.com/mirage/mirage-net-xen/commit/6c7a13a5dae0f58dcc0653206a73fa3d8174b6d2)

1.10.0: 
[bd0382eabe17d0824c8ba854ec935d8a2e5f7489](https://github.com/mirage/mirage-net-xen/commit/bd0382eabe17d0824c8ba854ec935d8a2e5f7489)

### References

[netchannel](https://github.com/mirage/mirage-net-xen)

You can find the latest version of this advisory online at
[https://mirage.io/blog/MSA01](https://mirage.io/blog/MSA01).

This advisory is signed using OpenPGP, you can verify the signature
by downloading our public key from a keyserver (`gpg --recv-key 
4A732D757C0EDA74`),
downloading the raw markdown source of this advisory from 
[GitHub](https://raw.githubusercontent.com/mirage/mirage-www/master/tmpl/advisories/01.txt.asc)
and executing `gpg --verify 01.txt.asc`.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJck8mYAAoJEEpzLXV8Dtp03RMP/jRiGkXBixZJCRKXXOuGwKhN
lkbjQX9GN+cBoDB74sBLL5lefCYZzFck9Ouk3YapX+7Uj+adFJc+XQUxy7aB2/Pl
3s6bdImRrNFmGU6rTT5icC6SIksNHe5D8Nv/MxL/yeQp+UOs3v0pFh2wIkgmM4+K
QxMi3xpN2lRGYFqOHUPouAIDnhBHjg40Aeg1xT0V4H+AQLtg40+B8lRZTzzUVOkk
yIyBViil6Okz1V2PWWpJnfakGB6pJqCv2dt4fGEZGnnmdKXRucTwIb/fStB7y03e
E7HGJiHZqEJrsJam/9K/vaqETfxH3JrHbeKdiYn5kL0tapK6Dl0O71T5cBykIxZd
slcmuuUCUVgaVZfsug7V5rtisFbLkJM3LFNfwRZRsoJaMyNuCqcm03ENJRFCI4cg
OAQ6f42dfmNKI2QTOxunMkCw2/CT3d6Vru9RELo549SEeCvsGK2J0PzGcw2X2d3l
SQB4NdA4bXUmDyjAjmdqh8VrCfSok0YrF3FSoQR151lQpZSs9ziWOG+U9RQ1+TBf
M5HzMMmIARR261WzZ/5kdieMeWwu87DltD0ZsrSOxls+UYwSdi05oJm1Sh3zT/yL
4VgmM0BX0/oRdCGipfmRB+PUOaSLgljoVfu+/xpm1p9hzQIgPaPkDT4Ae8l5BwXc
BZbCK/4TktwU4S8Eg+92
=LrX+
-----END PGP SIGNATURE-----


_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/mirageos-devel