blkif responses leak backend stack data

ID XSA-216
Type xen
Reporter Xen Project
Modified 2017-06-20T12:33:00



The block interface response structure has some discontiguous fields. Certain backends populate the structure fields of an otherwise uninitialized instance of this structure on their stacks, leaking data through the (internal or trailing) padding field.


A malicious unprivileged guest may be able to obtain sensitive information from the host or other guests.


All Linux versions supporting the xen-blkback, blkback, or blktap drivers are vulnerable. FreeBSD, NetBSD and Windows (with or without PV drivers) are not vulnerable (either because they do not have backends at all, or because they use a different implementation technique which does not suffer from this problem). All qemu versions supporting the Xen block backend are vulnerable. The qemu-xen-traditional code base does not include such code, so is not vulnerable. Note that an instance of qemu will be spawned to provide the backend for most non-raw-format disks; so you may need to apply the patch to qemu even if you use only PV guests.