Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624116 (CVE-2017-10913, CVE-2017-10914) - <app-emulation/xen-4.7.3: Races in the grant table unmap code
Summary: <app-emulation/xen-4.7.3: Races in the grant table unmap code
Status: RESOLVED FIXED
Alias: CVE-2017-10913, CVE-2017-10914
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://xenbits.xen.org/xsa/advisory-...
Whiteboard: B1 [glsa blocked cve cleanup]
Keywords:
Depends on: CVE-2017-10920, CVE-2017-10921, CVE-2017-10922
Blocks:
  Show dependency tree
 
Reported: 2017-07-07 14:50 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-10-18 00:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-07 14:50:27 UTC
From $URL:

ISSUE DESCRIPTION
=================

We have discovered two bugs in the code unmapping grant references.

* When a grant had been mapped twice by a backend domain, and then
unmapped by two concurrent unmap calls, the frontend may be informed
that the page had no further mappings when the first call completed rather
than when the second call completed.  (CVE-2017-10913.)

* A race triggerable by an unprivileged guest could cause a grant
maptrack entry for grants to be "freed" twice.  The ultimate effect of
this would be for maptrack entries for a single domain to be re-used.
(CVE-2017-10914.)

IMPACT
======

For the first issue, for a short window of time, a malicious backend
could still read and write memory that the frontend thought was its
own again.  Depending on the usage, this could be either an
information leak, or a backend-to-frontend privilege escalation.

The second issue is more difficult to analyze. It can probably cause
reference counts to leak, preventing memory from being freed on domain
destruction (denial-of-service), but information leakage or host
privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Both ARM and x86 are vulnerable.

On x86, systems with either PV or HVM guests are vulnerable.

MITIGATION
==========

None.

CREDITS
=======

This issue was discovered by Jann Horn of Google Project Zero.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

xsa218-unstable/*.patch    xen-unstable
xsa218-4.8/*.patch         Xen 4.8.x
xsa218-4.7/*.patch         Xen 4.7.x
xsa218-4.6/*.patch         Xen 4.6.x
xsa218-4.5/*.patch         Xen 4.5.x

$ sha256sum xsa218*/*
6f5e588edb6d3f0a37b89235e95cdcc7ca73cdff236d86b65e6f608bd15b03ec  xsa218-unstable/0001-gnttab-fix-unmap-pin-accounting-race.patch
5cb85f0aaa19ff343fc51b08addbf37d62352774115acd28eb18a73f67507e21  xsa218-unstable/0002-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
f5f3d27ce2829b3aa5e09b216bf9afcb1dc6b1f9f3b3a0f3ebfe5a68b4948aef  xsa218-unstable/0003-gnttab-correct-maptrack-table-accesses.patch
fafb8773957bbffb21ab43c7a3559efe15f52d234afba5f2ad2739411946c021  xsa218-4.5/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch
4398ad7111421dbf954ede651cb7f9acd83c654c7fa93d54a4e5f9b7b25fe918  xsa218-4.5/0002-gnttab-fix-unmap-pin-accounting-race.patch
9d23946afb96a70c574b8c7ff42ed8b30b72e9a1f751ff617a7578c79645c094  xsa218-4.5/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
27d92c6f4d89de3fd9e9311337823370303c1ef985cce2bd9bea28f00cd6c184  xsa218-4.5/0004-gnttab-correct-maptrack-table-accesses.patch
99ac090d7955a46c6c9c73ca62b64cef6b8f05439961e52278c662f030a36ee2  xsa218-4.6/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch
e0f0839336e055c1422cf0f76c37f6d9cc8474b0140ffef2451dca6697a9f20f  xsa218-4.6/0002-gnttab-fix-unmap-pin-accounting-race.patch
5f6f63211b18bb6ec157353b9e8b844abe3fd767ef1780e6d28731e935559fbc  xsa218-4.6/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
6a786a8c4b916b6f99092598bd4d60381907cd7e728c98a79e999afeec4f45a6  xsa218-4.6/0004-gnttab-correct-maptrack-table-accesses.patch
58354eec5f4f0b87640c702c6e1ce0eeb57dffbd09394a96e88bd6ff42c53e7e  xsa218-4.7/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch
0683d7ffdbe60dc8e1d161adeb0c5465df1840e86353b5cbb96dd204f2dbb526  xsa218-4.7/0002-gnttab-fix-unmap-pin-accounting-race.patch
6bfef9e1653a305e49653c5b81acb57ca41ee8410ea085d49c9bc7e4ccd31e54  xsa218-4.7/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
b4ede29e3a94d9e7992c90b8b7c8d489e071764218b28962b5755a444040e1ae  xsa218-4.7/0004-gnttab-correct-maptrack-table-accesses.patch
c2a1b40e76764333f3ee34dd9bc7d3e34bab91f8b44eaae7aa6f187bbddb358f  xsa218-4.8/0001-gnttab-fix-unmap-pin-accounting-race.patch
a210ff17a0ca1a81f2c98cce84a104ac7dd2f1a72fa3855ca5f3b3d13e95468c  xsa218-4.8/0002-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
0b8fa3d6a0f3ccb43c8134db2240867d5a850ee0821d4124a1642596b4d6cb5a  xsa218-4.8/0003-gnttab-correct-maptrack-table-accesses.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 1 Yixun Lan gentoo-dev 2017-07-12 07:29:34 UTC
commit 7a8fc554850ee501e1ad705b4154874adf102947 
Author: Yixun Lan <dlan@gentoo.org>             
Date:   Wed Jul 12 15:15:52 2017 +0800          

    app-emulation/xen: security bump            
                        
    fix XSA-217,218,219,220,221,222,223,224,225 
                        
    Gentoo-Bug: 624112,624114,624116,624118,624120,624122,624124,624126,624130                  
    Package-Manager: Portage-2.3.6, Repoman-2.3.2                                               

:100644 100644 6534404116c... 49df2654a33... M  app-emulation/xen/Manifest                      
:000000 100644 00000000000... f66bd1b70f8... A  app-emulation/xen/xen-4.7.3.ebuild              
:000000 100644 00000000000... bf73951bc39... A  app-emulation/xen/xen-4.8.1-r2.ebuild
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-21 04:19:52 UTC
Thank you Yixun Lan

Arches please let us know when all is stable
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-10-18 00:42:58 UTC
This issue was resolved and addressed in
 GLSA 201710-17 at https://security.gentoo.org/glsa/201710-17
by GLSA coordinator Aaron Bauman (b-man).