Summary: | <app-emulation/xen-4.8.2-r1: Multiple Vulnerabilities (CVE-2017-{14316,14317,14318,14319}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tomáš Mózes <hydrapolic> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | xen |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=631370 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
=app-emulation/xen-4.8.2-r1 amd64
=app-emulation/xen-pvgrub-4.8.2-r1 amd64 x86
=app-emulation/xen-tools-4.8.2-r1 amd64 x86
|
Runtime testing required: | --- |
Description
Tomáš Mózes
2017-09-19 04:50:00 UTC
Xen Security Advisory CVE-2017-14316 / XSA-231 version 3 Missing NUMA node parameter verification UPDATES IN VERSION 3 ==================== Updated metadata file Public release. ISSUE DESCRIPTION ================= The function `alloc_heap_pages` allows callers to specify the first NUMA node that should be used for allocations through the `memflags` parameter; the node is extracted using the `MEMF_get_node` macro. While the function checks to see if the special constant `NUMA_NO_NODE` is specified, it otherwise does not handle the case where `node >= MAX_NUMNODES`. This allows an out-of-bounds access to an internal array. IMPACT ====== An attacker using crafted hypercalls can execute arbitrary code within Xen. VULNERABLE SYSTEMS ================== All versions of Xen are affected. Both ARM and x86 are affected. Both systems running HVM guests and system running PV guests are affected. MITIGATION ========== No known mitigation. CREDITS ======= This issue was discovered by Matthew Daley. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa231.patch xen-unstable xsa231-4.9.patch Xen 4.9, Xen 4.8 xsa231-4.7.patch Xen 4.7, Xen 4.6 xsa231-4.5.patch Xen 4.5 Xen Security Advisory CVE-2017-14318 / XSA-232 version 4 Missing check for grant table UPDATES IN VERSION 4 ==================== Added metadata file Public release. ISSUE DESCRIPTION ================= The function `__gnttab_cache_flush` handles GNTTABOP_cache_flush grant table operations. It checks to see if the calling domain is the owner of the page that is to be operated on. If it is not, the owner's grant table is checked to see if a grant mapping to the calling domain exists for the page in question. However, the function does not check to see if the owning domain actually has a grant table or not. Some special domains, such as `DOMID_XEN`, `DOMID_IO` and `DOMID_COW` are created without grant tables. Hence, if __gnttab_cache_flush operates on a page owned by these special domains, it will attempt to dereference a null pointer in the domain struct. IMPACT ====== The guest can get Xen to dereference a NULL pointer. For ARM guests and x86 PV guests on systems with SMAP enabled, this will cause a host crash (denial-of-service). For x86 PV guests on systems without SMAP enabled, an attacker can map a crafted grant structure at virtual address 0. This can be leveraged to increment an arbitrary virtual address, which can then probably be leveraged into a full privilege escalation. VULNERABLE SYSTEMS ================== All versions of Xen since Xen 4.5 are vulnerable. x86 HVM guests do not expose the vulnerability. ARM guests and x86 PV guests on systems with SMAP enabled are only vulnerable to a Denial-of-Service (host crash). x86 PV guests on systems without SMAP running are vulnerable to a privilege escalation. MITIGATION ========== Hardware supporting Supervisor Mode Access Prevention (Intel Broadwell, AMD Zen) can mitigate the privilege escalation to a DoS. CREDITS ======= This issue was discovered by Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa232.patch xen-unstable, 4.9, 4.8, 4.7, 4.6, 4.5 Xen Security Advisory CVE-2017-14317 / XSA-233 version 3 cxenstored: Race in domain cleanup UPDATES IN VERSION 3 ==================== Added metadata file Public release. ISSUE DESCRIPTION ================= When shutting down a VM with a stubdomain, a race in cxenstored may cause a double-free. IMPACT ====== The xenstored daemon may crash, resulting in a DoS of any parts of the system relying on it (including domain creation / destruction, ballooning, device changes, etc). VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Only systems running the C version os xenstored ("xenstored") are vulnerable; systems running the Ocaml version ("oxenstored") are not vulnerable. Only systems running devicemodel stubdomains are vulnerable. Only x86 HVM guests can use stubdomains. Therefore ARM systems, x86 systems running only PV guests, and x86 systems running HVM guests with the devicemodel not in a stubdomain (eg in dom0), are not vulnerable. MITIGATION ========== Running oxenstored will mitigate this issue. Not using stubdomains will also mitigate the issue. CREDITS ======= This issue was discovered by Eric Chanudet of AIS. RESOLUTION ========== Applying the attached patch resolves this issue. xsa233.patch xen-unstable, Xen 4.9.x Xen 4.8.x Xen 4.7.x Xen 4.6.x Xen 4.5.x Xen Security Advisory CVE-2017-14319 / XSA-234 version 3 insufficient grant unmapping checks for x86 PV guests UPDATES IN VERSION 3 ==================== Added metadata file Public release. ISSUE DESCRIPTION ================= When removing or replacing a grant mapping, the x86 PV specific path needs to make sure page table entries remain in sync with other accounting done. Although the identity of the page frame was validated correctly, neither the presence of the mapping nor page writability were taken into account. IMPACT ====== A malicious or buggy x86 PV guest could escalate its privileges or crash the hypervisor. VULNERABLE SYSTEMS ================== All Xen versions are affected. Only x86 PV guests can leverage the vulnerability. x86 HVM guests as well as ARM guests cannot leverage the vulnerability. MITIGATION ========== Running only HVM guests will avoid this vulnerability. However, the vulnerability is exposed to PV stub qemu serving as the device model for HVM guests. Our default assumption is that an HVM guest has compromised its PV stub qemu. By extension, it is likely that the vulnerability is exposed to HVM guests which are served by a PV stub qemu. For PV guests, the vulnerability can be avoided if the guest kernel is controlled by the host rather than guest administrator, provided that further steps are taken to prevent the guest administrator from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa234.patch xen-unstable xsa234-4.9.patch Xen 4.9.x xsa234-4.8.patch Xen 4.8.x, Xen 4.7.x xsa234-4.6.patch Xen 4.6.x xsa234-4.5.patch Xen 4.5.x I've pushed 4.8.2 to the portage tree, so all XSA (from 231 to 234) should be fixed by now, thanks. commit d91052023c3f298100aa0f17a1ea1615a0f239eb Author: Yixun Lan <dlan@gentoo.org> Date: Sat Sep 30 12:44:48 2017 +0800 app-emulation/xen-tools: version bump, 4.8.2 this bump also fix security issue XSA-231,232,233,234 Package-Manager: Portage-2.3.10, Repoman-2.3.3 commit bc9bced5a747fa983ddee042bd3fed76838e2130 Author: Yixun Lan <dlan@gentoo.org> Date: Sat Sep 30 12:38:03 2017 +0800 app-emulation/xen: version bump, 4.8.2 this bump also fix security issue XSA-231,232,233,234 Thank you, Please call for stabilization when ready. Gentoo Security Padawan ChrisADR as we fix lots XSA security bugs (all <=XSA-245) Arches, please test and mark stable: =app-emulation/xen-4.8.2-r1 Target keyword only: "amd64" =app-emulation/xen-pvgrub-4.8.2-r1 =app-emulation/xen-tools-4.8.2 Target keywords: "amd64 x86" (In reply to Yixun Lan from comment #7) > as we fix lots XSA security bugs (all <=XSA-245) sorry, fix the wrong version for xen-tools Arches, please test and mark stable: =app-emulation/xen-4.8.2-r1 Target keyword only: "amd64" =app-emulation/xen-pvgrub-4.8.2-r1 =app-emulation/xen-tools-4.8.2-r1 Target keywords: "amd64 x86" x86 stable update the versions Arches, please test and mark stable: =app-emulation/xen-4.8.2-r2 Target keyword only: "amd64" =app-emulation/xen-pvgrub-4.8.2-r1 =app-emulation/xen-tools-4.8.2-r3 Target keywords: "amd64 x86" amd64 & x86 stable GLSA Vote: No @maintainer, please clean. amd64 stable. Maintainer(s), please cleanup. tree is clean. |