Comment 1 Yury German 2017-08-20 21:07:32 UTC

            Xen Security Advisory CVE-2017-12134 / XSA-229
                               version 3

            linux: Fix Xen block IO merge-ability calculation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The block layer in Linux may choose to merge adjacent block IO requests.
When Linux is running as a Xen guest, the default merging algorithm is
replaced with a Xen-specific one.  When Linux is running as an x86 PV
guest, some BIO's are erroneously merged, corrupting the data stream
to/from the block device.

This can result in incorrect access to an uncontrolled adjacent frame.

IMPACT
======

A buggy or malicious guest can cause Linux to read or write incorrect
memory when processing a block stream.  This could leak information from
other guests in the system or from Xen itself, or be used to DoS or
escalate privilege within the system.

VULNERABLE SYSTEMS
==================

All x86 Xen systems using pvops Linux in a backend role (either as
dom0, or as a disk device driver domain) are affected.  This includes
upstream Linux versions 2.6.37 and later.  Systems using the older
classic-linux fork are not affected.

All PV x86 domains doing block IO on behalf of a guest, including dom0
and any PV driver domains, are vulnerable.  (Any HVM driver domains
running are not vulnerable.)  This includes Xen vbd backends such as
blkback, but also direct IO performed for the guest via eg qemu.

ARM systems are not affected.

The vulnerability is only exposed if the underlying block device has
request merging enabled.  See Mitigation.

The vulnerability is only exposed to configurations which use grant
mapping as a transport mechanism for the block data.  Configurations
which use exclusively grant copy are not vulnerable.

MITIGATION
==========

Disable bio merges on all relevant underlying backend block devices.
For example,
  echo 2 > /sys/block/nvme0n1/queue/nomerges

CREDITS
=======

This issue was discovered by Jan H. Schönherr of Amazon.

=========================================

            Xen Security Advisory CVE-2017-12136 / XSA-228
                               version 3

     grant_table: Race conditions with maptrack free list handling

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The grant table code in Xen has a bespoke semi-lockfree allocator for
recording grant mappings ("maptrack" entries).  This allocator has a
race which allows the free list to be corrupted.

Specifically: the code for removing an entry from the free list, prior
to use, assumes (without locking) that if inspecting head item shows
that it is not the tail, it will continue to not be the tail of the
list if it is later found to be still the head and removed with
cmpxchg.  But the entry might have been removed and replaced, with the
result that it might be the tail by then.  (The invariants for the
semi-lockfree data structure were never formally documented.)

Additionally, a stolen entry is put on the free list with an incorrect
link field, which will very likely corrupt the list.

IMPACT
======

A malicious guest administrator can crash the host, and can probably
escalate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

Xen 4.6 and later are vulnerable.

Xen 4.5 and earlier are not vulnerable.

MITIGATION
==========

There is no mitigation for this vulnerability.

CREDITS
=======

This issue was discovered by Ian Jackson of Citrix.

====================================

            Xen Security Advisory CVE-2017-12135 / XSA-226
                               version 6

               multiple problems with transitive grants

UPDATES IN VERSION 6
====================

Patches actually addressing the issue have become ready.

ISSUE DESCRIPTION
=================

1) Code to handle copy operations on transitive grants has built in
   retry logic, involving a function reinvoking itself with unchanged
   parameters.  Such use assumes that the compiler would also translate
   this to a so called "tail call" when generating machine code.
   Empirically, this is not commonly the case, allowing for
   theoretically unbounded nesting of such function calls.

2) The reference counting and locking discipline for transitive grants
   is broken.  Concurrent use of the transitive grant can leak
   references on the transitively-referenced grant.

IMPACT
======

A malicious or buggy guest may be able to crash Xen.  Privilege
escalation and information leaks cannot be ruled out.  A malicious or
buggy guest can leak references on grants it has been given, amounting
to a DoS against the grantee.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

The security team would also like to thank Amazon for helping to identify that
the problems with transitive grants were deeper than originally believed.

@Security, Sorry to over-populate the ticket but I would like to make the information easier to process.


[Xen Security Advisory 229 (CVE-2017-12134)]

CVE-2017-12134(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12134):
The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.


[Xen Security Advisory CVE-2017-12135 / XSA-226]

CVE-2017-12135(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12135):
Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants.


[Xen Security Advisory CVE-2017-12136 / XSA-228]

CVE-2017-12136(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12136):
Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling.


[Xen Security Advisory 227 (CVE-2017-12137)]

CVE-2017-12137(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12137):
arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref.

Comment 3 Yixun Lan 2017-10-13 08:12:17 UTC

this should be fixed now, all <=XSA-244 should be fixed with 
  =app-emulation/xen-4.8.2-r1 && 
  =app-emulation/xen-tools-4.8.2-r1 
pushed

(In reply to Yixun Lan from comment #3)

> comment #3

Thank you,

Whiteboard now change.

also, cc amd64,x86 when ready for stable please, thank you again.

Comment 6 Yury German 2017-11-30 07:37:38 UTC

Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.

Comment 7 GLSAMaker/CVETool Bot 2018-01-14 23:50:39 UTC

This issue was resolved and addressed in
 GLSA 201801-14 at https://security.gentoo.org/glsa/201801-14
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 8 Larry the Git Cow 2019-11-08 20:53:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a65a72c5bf82bef9f6a7fd525ca42a7c7027d5e7

commit a65a72c5bf82bef9f6a7fd525ca42a7c7027d5e7
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-11-08 20:10:18 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-11-08 20:53:24 +0000

    package.mask: Last rite <dev-python/numpy-1.14.5 & revdeps
    
    Bug: https://bugs.gentoo.org/627962
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 10 ++++++++++
 1 file changed, 10 insertions(+)