Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627956 (CVE-2017-12855) - <app-emulation/xen{-tools}-4.8.2-r1: grant_table: possibly premature clearing of GTF_writing / GTF_reading (CVE:2017-12855)
Summary: <app-emulation/xen{-tools}-4.8.2-r1: grant_table: possibly premature clearing...
Status: RESOLVED FIXED
Alias: CVE-2017-12855
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://web.nvd.nist.gov/view/vuln/de...
Whiteboard: B4 [noglsa/cve]
Keywords:
Depends on: CVE-2017-12134, CVE-2017-12135, CVE-2017-12136, CVE-2017-12137
Blocks:
  Show dependency tree
 
Reported: 2017-08-15 18:47 UTC by D'juan McDonald (domhnall)
Modified: 2017-11-30 07:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-08-15 18:47:26 UTC
Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. Under some circumstances, Xen will clear the status bits too early, incorrectly informing the guest that the grant is no longer in use. A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant. Xen 4.9, 4.8, 4.7, 4.6, and 4.5 are affected.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12855

Gentoo Security Scout
Daj'Uan (mbailey_j)
Comment 1 D'juan McDonald (domhnall) 2017-08-15 18:56:01 UTC
@maintainter(s):

 RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa230.patch           xen-unstable, 4.9, 4.8, 4.7, 4.6, 4.5

$ sha256sum xsa230*
912c24771dc9e9b305be630b7771505abb3db735564c5574fc30b58a5da0139e  xsa230.meta
77a73f1c32d083e315ef0b1bbb119cb8840ceb5ada790cad76cbfb9116f725cc  xsa230.patch
$

Source: http://xenbits.xen.org/xsa/advisory-230.html
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2017-08-20 20:55:44 UTC
            Xen Security Advisory CVE-2017-12855 / XSA-230
                              version 3

 grant_table: possibly premature clearing of GTF_writing / GTF_reading

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the
guest that a grant is in use.  A guest is expected not to modify the
grant details while it is in use, whereas the guest is free to
modify/reuse the grant entry when it is not in use.

Under some circumstances, Xen will clear the status bits too early,
incorrectly informing the guest that the grant is no longer in use.

IMPACT
======

A guest may prematurely believe that a granted frame is safely private
again, and reuse it in a way which contains sensitive information, while
the domain on the far end of the grant is still using the grant.

VULNERABLE SYSTEMS
==================

All systems are vulnerable.

MITIGATION
==========

There are no mitigations.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.
Comment 3 D'juan McDonald (domhnall) 2017-08-23 16:11:02 UTC
Xen Security Advisory 235 - add-to-physmap error paths fail to release lock on ARM 
From: Xen.org security team <security () xen org>
 Date: Wed, 23 Aug 2017 15:18:12 +0000
   
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-235

        add-to-physmap error paths fail to release lock on ARM

ISSUE DESCRIPTION
=================

When dealing with the grant map space of add-to-physmap operations,
ARM specific code recognizes a number of error conditions, but fails
to release a lock being held on the respective exit paths.

IMPACT
======

A malicious guest administrator can cause a denial of service.
Specifically, prevent use of a physical CPU for an indefinite period
of time.

VULNERABLE SYSTEMS
==================

Xen versions 4.4 and later are vulnerable.  Xen versions 4.3 and
earlier are not vulnerable.

Only ARM systems are affected.  X86 systems are not affected.

MITIGATION
==========

On systems where the guest kernel is controlled by the host rather than
guest administrator, running only kernels which only issue sane
hypercalls will prevent untrusted guest users from exploiting this
issue.  However untrusted guest administrators can still trigger it
unless further steps are taken to prevent them from loading code into
the kernel (e.g by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.

CREDITS
=======

This issue was discovered by Wei Liu of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa235.patch           xen-unstable
xsa235-4.9.patch       Xen 4.9.x, Xen 4.8.x
xsa235-4.7.patch       Xen 4.7.x
xsa235-4.6.patch       Xen 4.6.x
xsa235-4.5.patch       Xen 4.5.x

$ sha256sum xsa235*
6ec8bf9462de65fee3896246f52c00941b2d83c759b3f7b28a440eb977fcbc37  xsa235.meta
c81f534e96fe38b9f77794bb143d104d66ce2d7177bda43f872642616e23df65  xsa235.patch
3c21cb1a53f5979b069568c6cd6df3aad00c19e0e459e37625d6a3c0f4f360cc  xsa235-4.5.patch
47cda4f32b65f3543af368c324a2e5b308b698a1c7d8bc84fc274eb2cdb45c0e  xsa235-4.6.patch
f30848eee71e66687b421b87be1d8e3f454c0eb395422546c62a689153d1e31c  xsa235-4.7.patch
d8f012734fbf6019c1ff864744e308c41dfb9c7804ca3be2771c2c972cdf4bd5  xsa235-4.9.patch
$

NOTE REGARDING LACK OF EMBARGO
==============================

The issue was discussed publicly before being recognized as a security
issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJZnZxeAAoJEIP+FMlX6CvZTj4IALE9/7IoG1Ak/TZuHE4xRxZx
Zd2APyf+lCNj3wwdFRGC/969ilQ9OjLlJ408RyY6bVpwfmsjJTZWnAcWuS/fIdhY
niillD1sdP7Eg65JG8bxL2jCaISH7AJKSePoLuc8G55I7uuJYEnipyvDZuz6W+qy
k03+Bbz+TwNezA4YoNFsSpRdX48iIevFy9AIhZmggLUqdgmTR1rygjW/bxanBX8z
2dSch8LMcsVArTmwE3NnxVSJC1/g3Tc07wll7LnB6npecbCmiMqk+rhPUFdHZXl7
pYZy+Qp7w5rqcd91cOuKQKml4O3lO9ajblfpqKmbH3+hnuDqEnVlHSvVNVGWyag=
=mGPq
-----END PGP SIGNATURE-----

Attachment: xsa235.meta
 Description: 
Attachment: xsa235.patch
 Description: 
Attachment: xsa235-4.5.patch
 Description: 
Attachment: xsa235-4.6.patch
 Description: 
Attachment: xsa235-4.7.patch
 Description: 
Attachment: xsa235-4.9.patch
 Description:
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-09-02 16:13:00 UTC
splitting out XSA-235.
Comment 5 Yixun Lan archtester gentoo-dev 2017-10-13 08:11:33 UTC
this should be fixed now, all <=XSA-244 should be fixed with 
  =app-emulation/xen-4.8.2-r1 && 
  =app-emulation/xen-tools-4.8.2-r1 
pushed
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2017-11-30 07:32:13 UTC
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].