Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 733914 (CVE-2020-15852) - app-emulation/xen: IO port permissions regression in kernel >= 5.5 (CVE-2020-15852)
Summary: app-emulation/xen: IO port permissions regression in kernel >= 5.5 (CVE-2020-...
Status: RESOLVED FIXED
Alias: CVE-2020-15852
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://lists.xenproject.org/archives...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-25 23:57 UTC by Sam James
Modified: 2021-09-10 11:14 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-25 23:57:26 UTC
From URL:
"Linux 5.5 overhauled the internal state handling for the iopl() and ioperm()
system calls.  Unfortunately, one aspect on context switch wasn't wired up
correctly for the Xen PVOps case.

IMPACT
======

IO port permissions don't get rescinded when context switching to an
unprivileged task.  Therefore, all userspace can use the IO ports granted to
the most recently scheduled task with IO port permissions.

VULNERABLE SYSTEMS
==================

Only x86 guests are vulnerable.

All versions of Linux from 5.5 are potentially vulnerable.

Linux is only vulnerable when running as x86 PV guest.  Linux is not
vulnerable when running as an x86 HVM/PVH guests.

The vulnerability can only be exploited in domains which have been granted
access to IO ports by Xen.  This is typically only the hardware domain, and
guests configured with PCI Passthrough."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-25 23:59:03 UTC
Please apply this patch if appropriate: https://lists.xenproject.org/archives/html/xen-announce/2020-07/binjSCTODhPNE.bin
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-03 07:54:53 UTC
ping
Comment 3 Tomáš Mózes 2020-08-03 08:20:31 UTC
This is fixed in Linux Kernel in versions 5.5+, nothing to do in Xen. Since we don't have a stable kernel above 5.4, we can just prune kernel <5.7.10.

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.10:

commit 3bbf8195e79707268f4fd072d7575ced0207e4ef
Author: Andy Lutomirski <luto@kernel.org>
Date:   Fri Jul 17 16:53:55 2020 -0700

    x86/ioperm: Fix io bitmap invalidation on Xen PV
    
    commit cadfad870154e14f745ec845708bc17d166065f2 upstream.
    
    tss_invalidate_io_bitmap() wasn't wired up properly through the pvop
    machinery, so the TSS and Xen's io bitmap would get out of sync
    whenever disabling a valid io bitmap.
    
    Add a new pvop for tss_invalidate_io_bitmap() to fix it.
    
    This is XSA-329.
    
    Fixes: 22fe5b0439dd ("x86/ioperm: Move TSS bitmap update to exit to user work")
    Signed-off-by: Andy Lutomirski <luto@kernel.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/d53075590e1f91c19f8af705059d3ff99424c020.1595030016.git.luto@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-03 14:55:44 UTC
(In reply to Tomáš Mózes from comment #3)
> This is fixed in Linux Kernel in versions 5.5+, nothing to do in Xen. Since
> we don't have a stable kernel above 5.4, we can just prune kernel <5.7.10.

Thanks. CCing kernel@.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-06 17:04:12 UTC
(yes, apologies -- it was a bit late!)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-10 11:14:48 UTC
Kernel issue so no GLSA; no affected kernels in tree. Closing.