Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 733914 (CVE-2020-15852)

Summary: app-emulation/xen: IO port permissions regression in kernel >= 5.5 (CVE-2020-15852)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, hydrapolic, kernel, proxy-maint, xen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.xenproject.org/archives/html/xen-announce/2020-07/msg00001.html
See Also: https://bugs.gentoo.org/show_bug.cgi?id=731658
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-25 23:57:26 UTC 
From URL:
"Linux 5.5 overhauled the internal state handling for the iopl() and ioperm()
system calls.  Unfortunately, one aspect on context switch wasn't wired up
correctly for the Xen PVOps case.

IMPACT
======

IO port permissions don't get rescinded when context switching to an
unprivileged task.  Therefore, all userspace can use the IO ports granted to
the most recently scheduled task with IO port permissions.

VULNERABLE SYSTEMS
==================

Only x86 guests are vulnerable.

All versions of Linux from 5.5 are potentially vulnerable.

Linux is only vulnerable when running as x86 PV guest.  Linux is not
vulnerable when running as an x86 HVM/PVH guests.

The vulnerability can only be exploited in domains which have been granted
access to IO ports by Xen.  This is typically only the hardware domain, and
guests configured with PCI Passthrough."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-25 23:59:03 UTC 
Please apply this patch if appropriate: https://lists.xenproject.org/archives/html/xen-announce/2020-07/binjSCTODhPNE.bin
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-03 07:54:53 UTC 
ping
Comment 3 Tomáš Mózes 2020-08-03 08:20:31 UTC 
This is fixed in Linux Kernel in versions 5.5+, nothing to do in Xen. Since we don't have a stable kernel above 5.4, we can just prune kernel <5.7.10.

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.10:

commit 3bbf8195e79707268f4fd072d7575ced0207e4ef
Author: Andy Lutomirski <luto@kernel.org>
Date:   Fri Jul 17 16:53:55 2020 -0700

    x86/ioperm: Fix io bitmap invalidation on Xen PV
    
    commit cadfad870154e14f745ec845708bc17d166065f2 upstream.
    
    tss_invalidate_io_bitmap() wasn't wired up properly through the pvop
    machinery, so the TSS and Xen's io bitmap would get out of sync
    whenever disabling a valid io bitmap.
    
    Add a new pvop for tss_invalidate_io_bitmap() to fix it.
    
    This is XSA-329.
    
    Fixes: 22fe5b0439dd ("x86/ioperm: Move TSS bitmap update to exit to user work")
    Signed-off-by: Andy Lutomirski <luto@kernel.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/d53075590e1f91c19f8af705059d3ff99424c020.1595030016.git.luto@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-03 14:55:44 UTC 
(In reply to Tomáš Mózes from comment #3)
> This is fixed in Linux Kernel in versions 5.5+, nothing to do in Xen. Since
> we don't have a stable kernel above 5.4, we can just prune kernel <5.7.10.

Thanks. CCing kernel@.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-06 17:04:12 UTC 
(yes, apologies -- it was a bit late!)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-10 11:14:48 UTC 
Kernel issue so no GLSA; no affected kernels in tree. Closing.