Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624124 (CVE-2017-10918) - <app-emulation/xen-4.7.3: stale P2M mappings due to insufficient error checking
Summary: <app-emulation/xen-4.7.3: stale P2M mappings due to insufficient error checking
Status: RESOLVED FIXED
Alias: CVE-2017-10918
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://xenbits.xen.org/xsa/advisory-...
Whiteboard: B1 [glsa cve]
Keywords:
Depends on: CVE-2017-10920, CVE-2017-10921, CVE-2017-10922
Blocks:
  Show dependency tree
 
Reported: 2017-07-07 14:59 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-10-18 00:43 UTC (History)
1 user (show)

See Also:
Package list:
=app-emulation/xen-4.7.3
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-07 14:59:25 UTC
From $URL:

ISSUE DESCRIPTION
=================

Certain actions require removing pages from a guest's P2M
(Physical-to-Machine) mapping.  When large pages are in use to map
guest pages in the 2nd-stage page tables, such a removal operation may
incur a memory allocation (to replace a large mapping with individual
smaller ones).  If this allocation fails, these errors are ignored by
the callers, which would then continue and (for example) free the
referenced page for reuse.  This leaves the guest with a mapping to a
page it shouldn't have access to.

The allocation involved comes from a separate pool of memory created
when the domain is created; under normal operating conditions it never
fails, but a malicious guest may be able to engineer situations where
this pool is exhausted.

IMPACT
======

A malicious guest may be able to access memory it doesn't own,
potentially allowing privilege escalation, host crashes, or
information leakage.

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2 onwards are vulnerable.  Older versions
have not been inspected.

Both x86 and ARM systems are vulnerable.

On x86 systems, only HVM guests can leverage the vulnerability.

MITIGATION
==========

On x86, specifying "hap_1gb=0 hap_2mb=0" on the hypervisor command
line will avoid the vulnerability.

Alternatively, running all x86 HVM guests in shadow mode will also
avoid this vulnerability.  (For example, by specifying "hap=0" in the
xl domain configuration file.)

There is no known mitigation on ARM systems.

CREDITS
=======

This issue was discovered by Julien Grall of ARM.

RESOLUTION
==========

Applying the appropriate pair of attached patches resolves this issue.

xsa222-[12].patch                        xen-unstable
xsa222-1.patch, xsa222-2-4.8.patch       Xen 4.8.x
xsa222-[12]-4.7.patch                    Xen 4.7.x
xsa222-[12]-4.6.patch                    Xen 4.6.x
xsa222-1-4.6.patch, xsa222-2-4.5.patch   Xen 4.5.x

$ sha256sum xsa222*
8bd8807ee1cfe01c86194f5d5be38618ba5e0c1206667bb119ed952e5d155c1a  xsa222-1.patch
9288dfcae1f37e6c8f13910046f43ec161710abb7c94a9346b7e0eaba3258ccd  xsa222-1-4.6.patch
ebc2c070bad8012a196e984b568a72e013ff072bb077870508f09ed053c1a4c2  xsa222-1-4.7.patch
ee320b37b365cb3b6660e559902ff8bb50657b2a28ff0fa7ebaf9ffd33fc0942  xsa222-2.patch
97768f4fe564f702de8e4aebd0c4d24858814ebbb7be532b376cfae7ad6834a4  xsa222-2-4.5.patch
4142f76673b996b65301d52216cbf56e27b0c86e5607f6a9eb18dcc7df3f6343  xsa222-2-4.6.patch
a640e190b32e82f5ec7ee4968bf8b9f22137e8379314cc9a29556637c3dc8e87  xsa222-2-4.7.patch
ab43bd590139bed53957b3b37b854183c69bee26cf7cb00900e3f4a150d067a5  xsa222-2-4.8.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
Comment 1 Yixun Lan gentoo-dev 2017-07-12 07:34:07 UTC
commit 7a8fc554850ee501e1ad705b4154874adf102947 
Author: Yixun Lan <dlan@gentoo.org>             
Date:   Wed Jul 12 15:15:52 2017 +0800          

    app-emulation/xen: security bump            
                        
    fix XSA-217,218,219,220,221,222,223,224,225 
                        
    Gentoo-Bug: 624112,624114,624116,624118,624120,624122,624124,624126,624130                  
    Package-Manager: Portage-2.3.6, Repoman-2.3.2                                               

:100644 100644 6534404116c... 49df2654a33... M  app-emulation/xen/Manifest                      
:000000 100644 00000000000... f66bd1b70f8... A  app-emulation/xen/xen-4.7.3.ebuild              
:000000 100644 00000000000... bf73951bc39... A  app-emulation/xen/xen-4.8.1-r2.ebuild
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-21 04:23:45 UTC
Thank you Yixun Lan

Arches please let us know when all is stable
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-08-20 21:57:42 UTC
Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s).
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-08 21:42:15 UTC
x86 never went stable.

@x86 please stabilize.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-15 20:11:32 UTC
x86 does not stable app-emulation/xen
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-10-18 00:43:15 UTC
This issue was resolved and addressed in
 GLSA 201710-17 at https://security.gentoo.org/glsa/201710-17
by GLSA coordinator Aaron Bauman (b-man).