Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631366 (CVE-2017-14316, CVE-2017-14317, CVE-2017-14318, CVE-2017-14319)

Summary: <app-emulation/xen-4.8.2-r1: Multiple Vulnerabilities (CVE-2017-{14316,14317,14318,14319})
Product: Gentoo Security Reporter: Tomáš Mózes <hydrapolic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: xen
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=631370
Whiteboard: B3 [noglsa cve]
Package list:
=app-emulation/xen-4.8.2-r1 amd64 =app-emulation/xen-pvgrub-4.8.2-r1 amd64 x86 =app-emulation/xen-tools-4.8.2-r1 amd64 x86
Runtime testing required: ---

Description Tomáš Mózes 2017-09-19 04:50:00 UTC
XSA-234 	2017-09-12 12:00 	2017-09-12 12:03 	3 	CVE-2017-14319 	insufficient grant unmapping checks for x86 PV guests
XSA-233 	2017-09-12 12:00 	2017-09-12 12:03 	3 	CVE-2017-14317 	cxenstored: Race in domain cleanup
XSA-232 	2017-09-12 12:00 	2017-09-12 12:03 	4 	CVE-2017-14318 	Missing check for grant table
XSA-231 	2017-09-12 12:00 	2017-09-12 12:03 	3 	CVE-2017-14316 	Missing NUMA node parameter verification
Comment 1 Tomáš Mózes 2017-09-19 04:52:01 UTC
            Xen Security Advisory CVE-2017-14316 / XSA-231
                               version 3

               Missing NUMA node parameter verification

UPDATES IN VERSION 3
====================

Updated metadata file

Public release.

ISSUE DESCRIPTION
=================

The function `alloc_heap_pages` allows callers to specify the first
NUMA node that should be used for allocations through the `memflags`
parameter; the node is extracted using the `MEMF_get_node` macro.

While the function checks to see if the special constant
`NUMA_NO_NODE` is specified, it otherwise does not handle the case
where `node >= MAX_NUMNODES`.  This allows an out-of-bounds access
to an internal array.

IMPACT
======

An attacker using crafted hypercalls can execute arbitrary code within
Xen.

VULNERABLE SYSTEMS
==================

All versions of Xen are affected.

Both ARM and x86 are affected.

Both systems running HVM guests and system running PV guests are
affected.

MITIGATION
==========

No known mitigation.

CREDITS
=======

This issue was discovered by Matthew Daley.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa231.patch           xen-unstable
xsa231-4.9.patch       Xen 4.9, Xen 4.8
xsa231-4.7.patch       Xen 4.7, Xen 4.6
xsa231-4.5.patch       Xen 4.5
Comment 2 Tomáš Mózes 2017-09-19 04:52:16 UTC
            Xen Security Advisory CVE-2017-14318 / XSA-232
                               version 4

                     Missing check for grant table

UPDATES IN VERSION 4
====================

Added metadata file

Public release.

ISSUE DESCRIPTION
=================

The function `__gnttab_cache_flush` handles GNTTABOP_cache_flush grant
table operations. It checks to see if the calling domain is the owner
of the page that is to be operated on. If it is not, the owner's grant
table is checked to see if a grant mapping to the calling domain
exists for the page in question.

However, the function does not check to see if the owning domain
actually has a grant table or not. Some special domains, such as
`DOMID_XEN`, `DOMID_IO` and `DOMID_COW` are created without grant
tables. Hence, if __gnttab_cache_flush operates on a page owned by
these special domains, it will attempt to dereference a null pointer
in the domain struct.


IMPACT
======

The guest can get Xen to dereference a NULL pointer.

For ARM guests and x86 PV guests on systems with SMAP enabled, this will
cause a host crash (denial-of-service).

For x86 PV guests on systems without SMAP enabled, an attacker can map
a crafted grant structure at virtual address 0.  This can be leveraged
to increment an arbitrary virtual address, which can then probably be
leveraged into a full privilege escalation.


VULNERABLE SYSTEMS
==================

All versions of Xen since Xen 4.5 are vulnerable.

x86 HVM guests do not expose the vulnerability.

ARM guests and x86 PV guests on systems with SMAP enabled are only
vulnerable to a Denial-of-Service (host crash).

x86 PV guests on systems without SMAP running are vulnerable to a
privilege escalation.

MITIGATION
==========

Hardware supporting Supervisor Mode Access Prevention (Intel Broadwell,
AMD Zen) can mitigate the privilege escalation to a DoS.

CREDITS
=======

This issue was discovered by Matthew Daley.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa232.patch           xen-unstable, 4.9, 4.8, 4.7, 4.6, 4.5
Comment 3 Tomáš Mózes 2017-09-19 04:52:29 UTC
            Xen Security Advisory CVE-2017-14317 / XSA-233
                               version 3

                  cxenstored: Race in domain cleanup

UPDATES IN VERSION 3
====================

Added metadata file

Public release.

ISSUE DESCRIPTION
=================

When shutting down a VM with a stubdomain, a race in cxenstored may
cause a double-free.

IMPACT
======

The xenstored daemon may crash, resulting in a DoS of any parts of the
system relying on it (including domain creation / destruction,
ballooning, device changes, etc).

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only systems running the C version os xenstored ("xenstored") are
vulnerable; systems running the Ocaml version ("oxenstored") are not
vulnerable.

Only systems running devicemodel stubdomains are vulnerable.  Only x86
HVM guests can use stubdomains.  Therefore ARM systems, x86 systems
running only PV guests, and x86 systems running HVM guests with the
devicemodel not in a stubdomain (eg in dom0), are not vulnerable.

MITIGATION
==========

Running oxenstored will mitigate this issue.  Not using stubdomains
will also mitigate the issue.

CREDITS
=======

This issue was discovered by Eric Chanudet of AIS.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa233.patch     xen-unstable, Xen 4.9.x Xen 4.8.x Xen 4.7.x Xen 4.6.x Xen 4.5.x
Comment 4 Tomáš Mózes 2017-09-19 04:52:38 UTC
            Xen Security Advisory CVE-2017-14319 / XSA-234
                               version 3

          insufficient grant unmapping checks for x86 PV guests

UPDATES IN VERSION 3
====================

Added metadata file

Public release.

ISSUE DESCRIPTION
=================

When removing or replacing a grant mapping, the x86 PV specific path
needs to make sure page table entries remain in sync with other
accounting done.  Although the identity of the page frame was
validated correctly, neither the presence of the mapping nor page
writability were taken into account.

IMPACT
======

A malicious or buggy x86 PV guest could escalate its privileges or
crash the hypervisor.

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

Only x86 PV guests can leverage the vulnerability.  x86 HVM guests as
well as ARM guests cannot leverage the vulnerability.

MITIGATION
==========

Running only HVM guests will avoid this vulnerability.  However, the
vulnerability is exposed to PV stub qemu serving as the device model
for HVM guests.  Our default assumption is that an HVM guest has
compromised its PV stub qemu.  By extension, it is likely that the
vulnerability is exposed to HVM guests which are served by a PV stub
qemu.

For PV guests, the vulnerability can be avoided if the guest kernel is
controlled by the host rather than guest administrator, provided that
further steps are taken to prevent the guest administrator from loading
code into the kernel (e.g. by disabling loadable modules etc) or from
using other mechanisms which allow them to run code at kernel privilege.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa234.patch           xen-unstable
xsa234-4.9.patch       Xen 4.9.x
xsa234-4.8.patch       Xen 4.8.x, Xen 4.7.x
xsa234-4.6.patch       Xen 4.6.x
xsa234-4.5.patch       Xen 4.5.x
Comment 5 Yixun Lan gentoo-dev 2017-09-30 05:50:25 UTC
I've pushed 4.8.2 to the portage tree, so all XSA (from 231 to 234) should be fixed by now, thanks.

commit d91052023c3f298100aa0f17a1ea1615a0f239eb
Author: Yixun Lan <dlan@gentoo.org>
Date:   Sat Sep 30 12:44:48 2017 +0800

    app-emulation/xen-tools: version bump, 4.8.2
    
    this bump also fix security issue
    XSA-231,232,233,234
    
    Package-Manager: Portage-2.3.10, Repoman-2.3.3

commit bc9bced5a747fa983ddee042bd3fed76838e2130
Author: Yixun Lan <dlan@gentoo.org>
Date:   Sat Sep 30 12:38:03 2017 +0800

    app-emulation/xen: version bump, 4.8.2
    
    this bump also fix security issue
    XSA-231,232,233,234
Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 20:59:35 UTC
Thank you, 

Please call for stabilization when ready.

Gentoo Security Padawan
ChrisADR
Comment 7 Yixun Lan gentoo-dev 2017-10-13 08:21:47 UTC
as we fix lots XSA security bugs (all <=XSA-245)

Arches, please test and mark stable:
=app-emulation/xen-4.8.2-r1
Target keyword only: "amd64" 
	
=app-emulation/xen-pvgrub-4.8.2-r1
=app-emulation/xen-tools-4.8.2
Target keywords: "amd64 x86"
Comment 8 Yixun Lan gentoo-dev 2017-10-13 08:23:45 UTC
(In reply to Yixun Lan from comment #7)
> as we fix lots XSA security bugs (all <=XSA-245)
sorry, fix the wrong version for xen-tools

 
Arches, please test and mark stable:
=app-emulation/xen-4.8.2-r1
 Target keyword only: "amd64" 
 	
=app-emulation/xen-pvgrub-4.8.2-r1
=app-emulation/xen-tools-4.8.2-r1
 Target keywords: "amd64 x86"
Comment 9 Thomas Deutschmann gentoo-dev Security 2017-11-02 21:18:47 UTC
x86 stable
Comment 10 Yixun Lan gentoo-dev 2017-11-03 18:04:35 UTC
update the versions

Arches, please test and mark stable:
=app-emulation/xen-4.8.2-r2
 Target keyword only: "amd64" 
 	
=app-emulation/xen-pvgrub-4.8.2-r1
=app-emulation/xen-tools-4.8.2-r3
 Target keywords: "amd64 x86"
Comment 11 Yixun Lan gentoo-dev 2017-11-03 18:05:33 UTC
amd64 & x86 stable
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-03 19:37:51 UTC
GLSA Vote: No

@maintainer, please clean.
Comment 13 Agostino Sarubbo gentoo-dev 2017-11-08 13:39:07 UTC
amd64 stable.

Maintainer(s), please cleanup.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-08 21:57:22 UTC
tree is clean.