osec-2016-02
Vulnerability from osv_ocaml
Published
2016-05-03 00:00
Modified
2026-01-13 12:00
Summary
Memory disclosure in mirage-net-xen
Details

Background

MirageOS is a library operating system using cooperative multitasking, which can be executed as a guest of the Xen hypervisor. Virtual devices, such as a network device, share memory between MirageOS and the hypervisor. MirageOS allocates and grants the hypervisor access to a ringbuffer containing pages to be sent on the network device, and another ringbuffer with pages to be filled with received data. A write on the MirageOS side consists of filling the page with the packet data, submitting a write request to the hypervisor, and awaiting a response from the hypervisor. To correlate the request with the response, a 16bit identifier is used.

Problem Description

Generating this 16bit identifier was not done in a unique manner. When multiple pages share an identifier, and are requested to be transmitted via the wire, the first successful response will mark all pages with this identifier free, even those still waiting to be transmitted. Once marked free, the MirageOS application fills the page for another chunk of data. This leads to corrupted packets being sent, and can lead to disclosure of memory intended for another recipient.

Impact

This issue discloses memory intended for another recipient. All versions before mirage-net-xen 1.4.2 are affected. The receiving side uses a similar mechanism, which may lead to corrupted incoming data (eventually even mutated while being processed).

Version 1.5.0, released on 8th January, already assigns unique identifiers for transmission. Received pages are copied into freshly allocated buffers before passed to the next layer. When 1.5.0 was released, the impact was not clear to us. Version 1.6.1 now additionally ensures that received pages have a unique identifier.

Solution

The unique identifier is now generated in a unique manner using a monotonic counter.

Transmitting corrupt data and disclosing memory is fixed in versions 1.4.2 and above.

Credits
Enguerrand Decorne
Hannes Mehnert
Thomas Leonard
Hannes Mehnert
Mindy Preston
To clipboard 

{
  "affected": [
    {
      "ecosystem_specific": {
        "opam_constraint": "mirage-net-xen {\u003c \"1.4.2\"}"
      },
      "package": {
        "ecosystem": "opam",
        "name": "mirage-net-xen",
        "purl": "pkg:opam/mirage-net-xen"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0b1e53c0875062a50e2d5823b7da0d8e0a64dc37"
            }
          ],
          "repo": "https://github.com/mirage/mirage-net-xen",
          "type": "GIT"
        }
      ],
      "versions": [
        "0.9.0",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.2.0",
        "1.3.0",
        "1.4.0",
        "1.4.1"
      ]
    }
  ],
  "credits": [
    {
      "name": "Enguerrand Decorne",
      "type": "REPORTER"
    },
    {
      "name": "Hannes Mehnert",
      "type": "REPORTER"
    },
    {
      "name": "Thomas Leonard",
      "type": "REMEDIATION_DEVELOPER"
    },
    {
      "name": "Hannes Mehnert",
      "type": "REMEDIATION_DEVELOPER"
    },
    {
      "name": "Mindy Preston",
      "type": "REMEDIATION_REVIEWER"
    }
  ],
  "database_specific": {
    "cwe": [
      "CWE-416"
    ],
    "human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2016/OSEC-2016-02.md",
    "osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2016/OSEC-2016-02.json"
  },
  "details": "## Background\n\nMirageOS is a library operating system using cooperative multitasking, which can be executed as a guest of the Xen hypervisor. Virtual devices, such as a network device, share memory between MirageOS and the hypervisor. MirageOS allocates and grants the hypervisor access to a ringbuffer containing pages to be sent on the network device, and another ringbuffer with pages to be filled with received data. A write on the MirageOS side consists of filling the page with the packet data, submitting a write request to the hypervisor, and awaiting a response from the hypervisor. To correlate the request with the response, a 16bit identifier is used.\n\n## Problem Description\n\nGenerating this 16bit identifier was not done in a unique manner. When multiple pages share an identifier, and are requested to be transmitted via the wire, the first successful response will mark all pages with this identifier free, even those still waiting to be transmitted. Once marked free, the MirageOS application fills the page for another chunk of data. This leads to corrupted packets being sent, and can lead to disclosure of memory intended for another recipient.\n\n## Impact\n\nThis issue discloses memory intended for another recipient. All versions before mirage-net-xen 1.4.2 are affected. The receiving side uses a similar mechanism, which may lead to corrupted incoming data (eventually even mutated while being processed).\n\nVersion 1.5.0, released on 8th January, already assigns unique identifiers for transmission. Received pages are copied into freshly allocated buffers before passed to the next layer. When 1.5.0 was released, the impact was not clear to us. Version 1.6.1 now additionally ensures that received pages have a unique identifier.\n\n## Solution\n\nThe unique identifier is now generated in a unique manner using a monotonic counter.\n\nTransmitting corrupt data and disclosing memory is fixed in versions 1.4.2 and above.",
  "id": "OSEC-2016-02",
  "modified": "2026-01-13T12:00:00Z",
  "published": "2016-05-03T00:00:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/mirage/mirage-net-xen/pull/28"
    },
    {
      "type": "FIX",
      "url": "https://github.com/mirage/mirage-net-xen/pull/41"
    },
    {
      "type": "ADVISORY",
      "url": "https://mirageos.org/blog/MSA00"
    }
  ],
  "schema_version": "1.7.4",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Memory disclosure in mirage-net-xen"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.