CVE-2015-8551: Null Pointer Dereference
First published: Mon Dec 07 2015(Updated: )
ISSUE DESCRIPTION ================= Xen PCI backend driver does not perform proper sanity checks on the device's state. Which in turn allows the generic MSI code (called by Xen PCI backend) to be called incorrectly leading to hitting BUG conditions or causing NULL pointer exceptions in the MSI code. To exploit this the guest can craft specific sequence of XEN_PCI_OP_* operations which will trigger this. Furthermore the frontend can also craft an continous stream of XEN_PCI_OP_enable_msi which will trigger an continous stream of WARN() messages triggered by the MSI code leading to the logging in the initial domain to exhaust disk space. Lastly there is also missing check to verify whether the device has memory decoding enabled set at the start of the day leading the initial domain "accesses to the respective MMIO or I/O port ranges would - - on PCI Express devices - [which can] lead to Unsupported Request responses. The treatment of such errors is platform specific." (from XSA-120). Note that if XSA-120 'addendum' patch has been applied this particular sub-issue is not exploitable. IMPACT ====== Malicious guest administrators can cause denial of service. If driver domains are not in use, the impact is a host crash. Only x86 systems are vulnerable. ARM systems are not vulnerable. VULNERABLE SYSTEMS ================== This bug affects systems using Linux as the driver domain, including non-disaggregated systems using Linux as dom0. Linux versions v3.1 and onwards are vulnerable due to supporting PCI pass-through backend driver. PV and HVM guests which have been granted access to physical PCI devices (`PCI passthrough') can take advantage of this vulnerability. Furthermore, the vulnerability is only applicable when the passed-through PCI devices are MSI-capable or MSI-X. (Most modern devices are). MITIGATION ========== Not using PCI passthrough for PV and HVM guests. Note that for HVM guests QEMU is used for PCI passthrough - however the toolstack sets up also the 'PV' PCI which the guest can utilize if it chooses to do so. External References: <a href="http://xenbits.xen.org/xsa/advisory-157.html">http://xenbits.xen.org/xsa/advisory-157.html</a> Acknowledgements: Red Hat would like to thank the Xen project for reporting this issue.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | >=3.1<=3.1.10 | |
| Linux Linux kernel | >=4.3.0<=4.3.6 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| openSUSE openSUSE | =13.1 | |
| SUSE Linux Enterprise Desktop | =11-sp4 | |
| SUSE Linux Enterprise Desktop | =12-sp1 | |
| Suse Linux Enterprise Real Time Extension | =11-sp4 | |
| Suse Linux Enterprise Real Time Extension | =12-sp1 | |
| SUSE Linux Enterprise Server | =11 | |
| SUSE Linux Enterprise Server | =11-sp4 | |
| SUSE Linux Enterprise Server | =12-sp1 | |
| SUSE Linux Enterprise Software Development Kit | =11-sp4 | |
| SUSE Linux Enterprise Software Development Kit | =12-sp1 | |
| Suse Linux Enterprise Workstation Extension | =12-sp1 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.112-1 6.11.7-1 6.11.9-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://xenbits.xen.org/xsa/advisory-157.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1289128#c0
- https://access.redhat.com/security/cve/CVE-2015-8551
- https://access.redhat.com/security/cve/CVE-2015-8552
- https://access.redhat.com/security/cve/CVE-2015-8553
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1196266
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1292439
- https://bugzilla.redhat.com/show_bug.cgi?id=1289128
- http://www.securityfocus.com/bid/79546
- http://www.securitytracker.com/id/1034480
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00059.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00094.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00045.html
- https://security.gentoo.org/glsa/201604-03
- http://www.debian.org/security/2016/dsa-3434
- https://launchpad.net/bugs/cve/CVE-2015-8551
- https://git.kernel.org/linus/56441f3c8e5bd45aab10dd9f8c505dd4bec03b0d
- https://git.kernel.org/linus/5e0ce1455c09dd61d029b8ad45d82e1ac0b6c4c9
- https://git.kernel.org/linus/a396f3a210c3a61e94d6b87ec05a75d0be2a60d0
- https://git.kernel.org/linus/7cfb905b9638982862f0331b36ccaaca5d383b49
- https://git.kernel.org/linus/408fb0e5aa7fda0059db282ff58c3b2a4278baa0
- https://security-tracker.debian.org/tracker/CVE-2015-8551
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8551
- https://nvd.nist.gov/vuln/detail/CVE-2015-8551
- https://ubuntu.com/security/CVE-2015-8551
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2015-8551.
What is the severity of CVE-2015-8551?
The severity of CVE-2015-8551 is medium.
What is the affected software for CVE-2015-8551?
The affected software for CVE-2015-8551 includes Linux versions 3.1.x through 4.3.x when running on an x86 system with Xen as the driver domain.
How does CVE-2015-8551 impact the system?
CVE-2015-8551 can cause a denial of service (NULL pointer dereference and host OS crash) on the host system by leveraging a system with access to a passed-through PCI device.
What is the fix for CVE-2015-8551?
The fix for CVE-2015-8551 is to update the Linux kernel to a version that includes the necessary security patches.
- collector/redhat-bugzilla
- alias/CVE-2015-8551
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/remedy
- agent/severity
- agent/description
- agent/weakness
- agent/references
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/3.1
- version/linux linux kernel/3.1.10
- version/linux linux kernel/4.3.0
- version/linux linux kernel/4.3.6
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- vendor/opensuse
- canonical/opensuse opensuse
- version/opensuse opensuse/13.1
- vendor/suse
- canonical/suse linux enterprise desktop
- version/suse linux enterprise desktop/11-sp4
- version/suse linux enterprise desktop/12-sp1
- canonical/suse linux enterprise real time extension
- version/suse linux enterprise real time extension/11-sp4
- version/suse linux enterprise real time extension/12-sp1
- canonical/suse linux enterprise server
- version/suse linux enterprise server/11
- version/suse linux enterprise server/11-sp4
- version/suse linux enterprise server/12-sp1
- canonical/suse linux enterprise software development kit
- version/suse linux enterprise software development kit/11-sp4
- version/suse linux enterprise software development kit/12-sp1
- canonical/suse linux enterprise workstation extension
- version/suse linux enterprise workstation extension/12-sp1
- package-manager/debian