Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 627962 (CVE-2017-12134, CVE-2017-12135, CVE-2017-12136, CVE-2017-12137)

Summary: <app-emulation/xen{,tools}-4.8.2-r1: Multiple Vulnerabilities
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: hydrapolic, xen
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://xenbits.xen.org/xsa/
Whiteboard: B1 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 627956    

Description D'juan McDonald (domhnall) 2017-08-15 20:57:56 UTC
Xen Security Advisory 229 (CVE-2017-12134) - linux: Fix Xen block IO merge-ability calculation

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa229.patch           Linux

$ sha256sum xsa229*
5f96c72c8c5a971d52f5540475a3fc6f4fef2071ec772ef21392fdc238eda858  xsa229.patch
$

http://seclists.org/oss-sec/2017/q3/att-294/xsa229.patch



Xen Security Advisory CVE-2017-12135 / XSA-226
 version 5
 
 multiple problems with transitive grants
 
RESOLUTION
==========

Applying the appropriate attached patch works around this issue by disabling
transitive grants by default.

xsa226.patch           xen-unstable, Xen 4.9.x, Xen 4.8.x
xsa226-4.7.patch       Xen 4.7.x
xsa226-4.6.patch       Xen 4.6.x
xsa226-4.5.patch       Xen 4.5.x

$ sha256sum xsa226*
b09e07aaf422ae04a4ece5e2c5b5e54036cfae5b5c632bfc6953a0cacd6f60ff  xsa226.patch
ca8b92b2ff58b87e8bec137a34784cbf11e2820659046df6e1d71e23bf7e7dee  xsa226-4.5.patch
28c7df7edabb91fb2f1fa3fc7d6906bfae75a6e701f1cd335baafaae3e087696  xsa226-4.6.patch
fffcc0a4428723e6aea391ff4f1d27326b5a3763d2308cbde64e6a786502c702  xsa226-4.7.patch
$


http://seclists.org/oss-sec/2017/q3/att-291/xsa226.patch

http://seclists.org/oss-sec/2017/q3/att-291/xsa226-4_5.patch

http://seclists.org/oss-sec/2017/q3/att-291/xsa226-4_6.patch

http://seclists.org/oss-sec/2017/q3/att-291/xsa226-4_7.patch



Xen Security Advisory CVE-2017-12136 / XSA-228
 version 3
 
 grant_table: Race conditions with maptrack free list handling
VULNERABLE SYSTEMS
==================

Xen 4.6 and later are vulnerable.

Xen 4.5 and earlier are not vulnerable.

ESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa228.patch           xen-unstable, Xen 4.9.x
xsa228-4.8.patch       Xen 4.8.x, Xen 4.7.x, Xen 4.6.x

$ sha256sum xsa228*
35a1a7f8905770fa64da0756fe3e0400bb8c28ecae0b7cf80e749cb7962018db  xsa228.meta
1979e111442517891b483e316a15a760a4c992ac4440f95e361ff12f4bebff62  xsa228.patch
5a7416f15ac9cd7cace354b6102ff58199fe0581f65a36a36869650c71784e48  xsa228-4.8.patch
$

http://seclists.org/oss-sec/2017/q3/att-293/xsa228_meta.bin

http://seclists.org/oss-sec/2017/q3/att-293/xsa228.patch

http://seclists.org/oss-sec/2017/q3/att-293/xsa228-4_8.patch



Xen Security Advisory 227 (CVE-2017-12137) - x86: PV privilege escalation via map_grant_ref

IMPACT
======

A PV guest can elevate its privilege to that of the host.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only x86 systems are vulnerable.

Any system running untrusted PV guests is vulnerable.

The vulnerability is exposed to PV stub qemu serving as the device model
for HVM guests.  Our default assumption is that an HVM guest has
compromised its PV stub qemu.  By extension, it is likely that the
vulnerability is exposed to HVM guests which are served by a PV stub
qemu.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa227.patch           xen-unstable, Xen 4.9.x, 4.8.x, 4.7.x
xsa227-4.6.patch       Xen 4.6.x
xsa227-4.5.patch       Xen 4.5.x

$ sha256sum xsa227*
c48cc3be47e81a4ceebcf60659b8755516c68916fc5150920ed42c6b61e3f219  xsa227.meta
9923a47e5f86949800887596f098954a08ef73a01d74b1dbe16cab2e6b1fabb2  xsa227.patch
6f83d0d9ff853192840d2b82d26d8fde21473bf4ac1441a153f3ee02efd1dd67  xsa227-4.5.patch
162b991b27b86f210089526a01cae715563d3a069c92f42538b423bba7709fcc  xsa227-4.6.patch
$

(The .meta file is a prototype machine-readable file for describing
which patches are to be applied how.)

http://seclists.org/oss-sec/2017/q3/att-292/xsa227_meta.bin
http://seclists.org/oss-sec/2017/q3/att-292/xsa227.patch
http://seclists.org/oss-sec/2017/q3/att-292/xsa227-4_5.patch
http://seclists.org/oss-sec/2017/q3/att-292/xsa227-4_6.patch
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-08-20 21:07:32 UTC
            Xen Security Advisory CVE-2017-12134 / XSA-229
                               version 3

            linux: Fix Xen block IO merge-ability calculation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The block layer in Linux may choose to merge adjacent block IO requests.
When Linux is running as a Xen guest, the default merging algorithm is
replaced with a Xen-specific one.  When Linux is running as an x86 PV
guest, some BIO's are erroneously merged, corrupting the data stream
to/from the block device.

This can result in incorrect access to an uncontrolled adjacent frame.

IMPACT
======

A buggy or malicious guest can cause Linux to read or write incorrect
memory when processing a block stream.  This could leak information from
other guests in the system or from Xen itself, or be used to DoS or
escalate privilege within the system.

VULNERABLE SYSTEMS
==================

All x86 Xen systems using pvops Linux in a backend role (either as
dom0, or as a disk device driver domain) are affected.  This includes
upstream Linux versions 2.6.37 and later.  Systems using the older
classic-linux fork are not affected.

All PV x86 domains doing block IO on behalf of a guest, including dom0
and any PV driver domains, are vulnerable.  (Any HVM driver domains
running are not vulnerable.)  This includes Xen vbd backends such as
blkback, but also direct IO performed for the guest via eg qemu.

ARM systems are not affected.

The vulnerability is only exposed if the underlying block device has
request merging enabled.  See Mitigation.

The vulnerability is only exposed to configurations which use grant
mapping as a transport mechanism for the block data.  Configurations
which use exclusively grant copy are not vulnerable.

MITIGATION
==========

Disable bio merges on all relevant underlying backend block devices.
For example,
  echo 2 > /sys/block/nvme0n1/queue/nomerges

CREDITS
=======

This issue was discovered by Jan H. Schönherr of Amazon.

=========================================

            Xen Security Advisory CVE-2017-12136 / XSA-228
                               version 3

     grant_table: Race conditions with maptrack free list handling

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The grant table code in Xen has a bespoke semi-lockfree allocator for
recording grant mappings ("maptrack" entries).  This allocator has a
race which allows the free list to be corrupted.

Specifically: the code for removing an entry from the free list, prior
to use, assumes (without locking) that if inspecting head item shows
that it is not the tail, it will continue to not be the tail of the
list if it is later found to be still the head and removed with
cmpxchg.  But the entry might have been removed and replaced, with the
result that it might be the tail by then.  (The invariants for the
semi-lockfree data structure were never formally documented.)

Additionally, a stolen entry is put on the free list with an incorrect
link field, which will very likely corrupt the list.

IMPACT
======

A malicious guest administrator can crash the host, and can probably
escalate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

Xen 4.6 and later are vulnerable.

Xen 4.5 and earlier are not vulnerable.

MITIGATION
==========

There is no mitigation for this vulnerability.

CREDITS
=======

This issue was discovered by Ian Jackson of Citrix.

====================================

            Xen Security Advisory CVE-2017-12135 / XSA-226
                               version 6

               multiple problems with transitive grants

UPDATES IN VERSION 6
====================

Patches actually addressing the issue have become ready.

ISSUE DESCRIPTION
=================

1) Code to handle copy operations on transitive grants has built in
   retry logic, involving a function reinvoking itself with unchanged
   parameters.  Such use assumes that the compiler would also translate
   this to a so called "tail call" when generating machine code.
   Empirically, this is not commonly the case, allowing for
   theoretically unbounded nesting of such function calls.

2) The reference counting and locking discipline for transitive grants
   is broken.  Concurrent use of the transitive grant can leak
   references on the transitively-referenced grant.

IMPACT
======

A malicious or buggy guest may be able to crash Xen.  Privilege
escalation and information leaks cannot be ruled out.  A malicious or
buggy guest can leak references on grants it has been given, amounting
to a DoS against the grantee.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

The security team would also like to thank Amazon for helping to identify that
the problems with transitive grants were deeper than originally believed.
Comment 2 D'juan McDonald (domhnall) 2017-08-24 17:31:26 UTC
@Security, Sorry to over-populate the ticket but I would like to make the information easier to process.


[Xen Security Advisory 229 (CVE-2017-12134)]

CVE-2017-12134(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12134):
The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.


[Xen Security Advisory CVE-2017-12135 / XSA-226]

CVE-2017-12135(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12135):
Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants.


[Xen Security Advisory CVE-2017-12136 / XSA-228]

CVE-2017-12136(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12136):
Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling.


[Xen Security Advisory 227 (CVE-2017-12137)]

CVE-2017-12137(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12137):
arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref.
Comment 3 Yixun Lan gentoo-dev 2017-10-13 08:12:17 UTC
this should be fixed now, all <=XSA-244 should be fixed with 
  =app-emulation/xen-4.8.2-r1 && 
  =app-emulation/xen-tools-4.8.2-r1 
pushed
Comment 4 D'juan McDonald (domhnall) 2017-10-17 05:44:58 UTC
(In reply to Yixun Lan from comment #3)

> comment #3

Thank you,

Whiteboard now change.
Comment 5 D'juan McDonald (domhnall) 2017-10-17 06:04:20 UTC
also, cc amd64,x86 when ready for stable please, thank you again.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2017-11-30 07:37:38 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2018-01-14 23:50:39 UTC
This issue was resolved and addressed in
 GLSA 201801-14 at https://security.gentoo.org/glsa/201801-14
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 8 Larry the Git Cow gentoo-dev 2019-11-08 20:53:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a65a72c5bf82bef9f6a7fd525ca42a7c7027d5e7

commit a65a72c5bf82bef9f6a7fd525ca42a7c7027d5e7
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-11-08 20:10:18 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-11-08 20:53:24 +0000

    package.mask: Last rite <dev-python/numpy-1.14.5 & revdeps
    
    Bug: https://bugs.gentoo.org/627962
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 10 ++++++++++
 1 file changed, 10 insertions(+)