Summary: | <app-emulation/xen{,tools}-4.8.2-r1: Multiple Vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | hydrapolic, xen |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://xenbits.xen.org/xsa/ | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 627956 |
Description
D'juan McDonald (domhnall)
2017-08-15 20:57:56 UTC
Xen Security Advisory CVE-2017-12134 / XSA-229 version 3 linux: Fix Xen block IO merge-ability calculation UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The block layer in Linux may choose to merge adjacent block IO requests. When Linux is running as a Xen guest, the default merging algorithm is replaced with a Xen-specific one. When Linux is running as an x86 PV guest, some BIO's are erroneously merged, corrupting the data stream to/from the block device. This can result in incorrect access to an uncontrolled adjacent frame. IMPACT ====== A buggy or malicious guest can cause Linux to read or write incorrect memory when processing a block stream. This could leak information from other guests in the system or from Xen itself, or be used to DoS or escalate privilege within the system. VULNERABLE SYSTEMS ================== All x86 Xen systems using pvops Linux in a backend role (either as dom0, or as a disk device driver domain) are affected. This includes upstream Linux versions 2.6.37 and later. Systems using the older classic-linux fork are not affected. All PV x86 domains doing block IO on behalf of a guest, including dom0 and any PV driver domains, are vulnerable. (Any HVM driver domains running are not vulnerable.) This includes Xen vbd backends such as blkback, but also direct IO performed for the guest via eg qemu. ARM systems are not affected. The vulnerability is only exposed if the underlying block device has request merging enabled. See Mitigation. The vulnerability is only exposed to configurations which use grant mapping as a transport mechanism for the block data. Configurations which use exclusively grant copy are not vulnerable. MITIGATION ========== Disable bio merges on all relevant underlying backend block devices. For example, echo 2 > /sys/block/nvme0n1/queue/nomerges CREDITS ======= This issue was discovered by Jan H. Schönherr of Amazon. ========================================= Xen Security Advisory CVE-2017-12136 / XSA-228 version 3 grant_table: Race conditions with maptrack free list handling UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The grant table code in Xen has a bespoke semi-lockfree allocator for recording grant mappings ("maptrack" entries). This allocator has a race which allows the free list to be corrupted. Specifically: the code for removing an entry from the free list, prior to use, assumes (without locking) that if inspecting head item shows that it is not the tail, it will continue to not be the tail of the list if it is later found to be still the head and removed with cmpxchg. But the entry might have been removed and replaced, with the result that it might be the tail by then. (The invariants for the semi-lockfree data structure were never formally documented.) Additionally, a stolen entry is put on the free list with an incorrect link field, which will very likely corrupt the list. IMPACT ====== A malicious guest administrator can crash the host, and can probably escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen 4.6 and later are vulnerable. Xen 4.5 and earlier are not vulnerable. MITIGATION ========== There is no mitigation for this vulnerability. CREDITS ======= This issue was discovered by Ian Jackson of Citrix. ==================================== Xen Security Advisory CVE-2017-12135 / XSA-226 version 6 multiple problems with transitive grants UPDATES IN VERSION 6 ==================== Patches actually addressing the issue have become ready. ISSUE DESCRIPTION ================= 1) Code to handle copy operations on transitive grants has built in retry logic, involving a function reinvoking itself with unchanged parameters. Such use assumes that the compiler would also translate this to a so called "tail call" when generating machine code. Empirically, this is not commonly the case, allowing for theoretically unbounded nesting of such function calls. 2) The reference counting and locking discipline for transitive grants is broken. Concurrent use of the transitive grant can leak references on the transitively-referenced grant. IMPACT ====== A malicious or buggy guest may be able to crash Xen. Privilege escalation and information leaks cannot be ruled out. A malicious or buggy guest can leak references on grants it has been given, amounting to a DoS against the grantee. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. The security team would also like to thank Amazon for helping to identify that the problems with transitive grants were deeper than originally believed. @Security, Sorry to over-populate the ticket but I would like to make the information easier to process. [Xen Security Advisory 229 (CVE-2017-12134)] CVE-2017-12134(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12134): The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation. [Xen Security Advisory CVE-2017-12135 / XSA-226] CVE-2017-12135(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12135): Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants. [Xen Security Advisory CVE-2017-12136 / XSA-228] CVE-2017-12136(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12136): Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling. [Xen Security Advisory 227 (CVE-2017-12137)] CVE-2017-12137(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12137): arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref. this should be fixed now, all <=XSA-244 should be fixed with =app-emulation/xen-4.8.2-r1 && =app-emulation/xen-tools-4.8.2-r1 pushed (In reply to Yixun Lan from comment #3) > comment #3 Thank you, Whiteboard now change. also, cc amd64,x86 when ready for stable please, thank you again. Arches and Maintainer(s), Thank you for your work. New GLSA Request filed. This issue was resolved and addressed in GLSA 201801-14 at https://security.gentoo.org/glsa/201801-14 by GLSA coordinator Thomas Deutschmann (whissi). The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a65a72c5bf82bef9f6a7fd525ca42a7c7027d5e7 commit a65a72c5bf82bef9f6a7fd525ca42a7c7027d5e7 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-11-08 20:10:18 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-11-08 20:53:24 +0000 package.mask: Last rite <dev-python/numpy-1.14.5 & revdeps Bug: https://bugs.gentoo.org/627962 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 10 ++++++++++ 1 file changed, 10 insertions(+) |