Xen Security Advisory 229 (CVE-2017-12134) - linux: Fix Xen block IO merge-ability calculation RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa229.patch Linux $ sha256sum xsa229* 5f96c72c8c5a971d52f5540475a3fc6f4fef2071ec772ef21392fdc238eda858 xsa229.patch $ http://seclists.org/oss-sec/2017/q3/att-294/xsa229.patch Xen Security Advisory CVE-2017-12135 / XSA-226 version 5 multiple problems with transitive grants RESOLUTION ========== Applying the appropriate attached patch works around this issue by disabling transitive grants by default. xsa226.patch xen-unstable, Xen 4.9.x, Xen 4.8.x xsa226-4.7.patch Xen 4.7.x xsa226-4.6.patch Xen 4.6.x xsa226-4.5.patch Xen 4.5.x $ sha256sum xsa226* b09e07aaf422ae04a4ece5e2c5b5e54036cfae5b5c632bfc6953a0cacd6f60ff xsa226.patch ca8b92b2ff58b87e8bec137a34784cbf11e2820659046df6e1d71e23bf7e7dee xsa226-4.5.patch 28c7df7edabb91fb2f1fa3fc7d6906bfae75a6e701f1cd335baafaae3e087696 xsa226-4.6.patch fffcc0a4428723e6aea391ff4f1d27326b5a3763d2308cbde64e6a786502c702 xsa226-4.7.patch $ http://seclists.org/oss-sec/2017/q3/att-291/xsa226.patch http://seclists.org/oss-sec/2017/q3/att-291/xsa226-4_5.patch http://seclists.org/oss-sec/2017/q3/att-291/xsa226-4_6.patch http://seclists.org/oss-sec/2017/q3/att-291/xsa226-4_7.patch Xen Security Advisory CVE-2017-12136 / XSA-228 version 3 grant_table: Race conditions with maptrack free list handling VULNERABLE SYSTEMS ================== Xen 4.6 and later are vulnerable. Xen 4.5 and earlier are not vulnerable. ESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa228.patch xen-unstable, Xen 4.9.x xsa228-4.8.patch Xen 4.8.x, Xen 4.7.x, Xen 4.6.x $ sha256sum xsa228* 35a1a7f8905770fa64da0756fe3e0400bb8c28ecae0b7cf80e749cb7962018db xsa228.meta 1979e111442517891b483e316a15a760a4c992ac4440f95e361ff12f4bebff62 xsa228.patch 5a7416f15ac9cd7cace354b6102ff58199fe0581f65a36a36869650c71784e48 xsa228-4.8.patch $ http://seclists.org/oss-sec/2017/q3/att-293/xsa228_meta.bin http://seclists.org/oss-sec/2017/q3/att-293/xsa228.patch http://seclists.org/oss-sec/2017/q3/att-293/xsa228-4_8.patch Xen Security Advisory 227 (CVE-2017-12137) - x86: PV privilege escalation via map_grant_ref IMPACT ====== A PV guest can elevate its privilege to that of the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Only x86 systems are vulnerable. Any system running untrusted PV guests is vulnerable. The vulnerability is exposed to PV stub qemu serving as the device model for HVM guests. Our default assumption is that an HVM guest has compromised its PV stub qemu. By extension, it is likely that the vulnerability is exposed to HVM guests which are served by a PV stub qemu. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa227.patch xen-unstable, Xen 4.9.x, 4.8.x, 4.7.x xsa227-4.6.patch Xen 4.6.x xsa227-4.5.patch Xen 4.5.x $ sha256sum xsa227* c48cc3be47e81a4ceebcf60659b8755516c68916fc5150920ed42c6b61e3f219 xsa227.meta 9923a47e5f86949800887596f098954a08ef73a01d74b1dbe16cab2e6b1fabb2 xsa227.patch 6f83d0d9ff853192840d2b82d26d8fde21473bf4ac1441a153f3ee02efd1dd67 xsa227-4.5.patch 162b991b27b86f210089526a01cae715563d3a069c92f42538b423bba7709fcc xsa227-4.6.patch $ (The .meta file is a prototype machine-readable file for describing which patches are to be applied how.) http://seclists.org/oss-sec/2017/q3/att-292/xsa227_meta.bin http://seclists.org/oss-sec/2017/q3/att-292/xsa227.patch http://seclists.org/oss-sec/2017/q3/att-292/xsa227-4_5.patch http://seclists.org/oss-sec/2017/q3/att-292/xsa227-4_6.patch
Xen Security Advisory CVE-2017-12134 / XSA-229 version 3 linux: Fix Xen block IO merge-ability calculation UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The block layer in Linux may choose to merge adjacent block IO requests. When Linux is running as a Xen guest, the default merging algorithm is replaced with a Xen-specific one. When Linux is running as an x86 PV guest, some BIO's are erroneously merged, corrupting the data stream to/from the block device. This can result in incorrect access to an uncontrolled adjacent frame. IMPACT ====== A buggy or malicious guest can cause Linux to read or write incorrect memory when processing a block stream. This could leak information from other guests in the system or from Xen itself, or be used to DoS or escalate privilege within the system. VULNERABLE SYSTEMS ================== All x86 Xen systems using pvops Linux in a backend role (either as dom0, or as a disk device driver domain) are affected. This includes upstream Linux versions 2.6.37 and later. Systems using the older classic-linux fork are not affected. All PV x86 domains doing block IO on behalf of a guest, including dom0 and any PV driver domains, are vulnerable. (Any HVM driver domains running are not vulnerable.) This includes Xen vbd backends such as blkback, but also direct IO performed for the guest via eg qemu. ARM systems are not affected. The vulnerability is only exposed if the underlying block device has request merging enabled. See Mitigation. The vulnerability is only exposed to configurations which use grant mapping as a transport mechanism for the block data. Configurations which use exclusively grant copy are not vulnerable. MITIGATION ========== Disable bio merges on all relevant underlying backend block devices. For example, echo 2 > /sys/block/nvme0n1/queue/nomerges CREDITS ======= This issue was discovered by Jan H. Schönherr of Amazon. ========================================= Xen Security Advisory CVE-2017-12136 / XSA-228 version 3 grant_table: Race conditions with maptrack free list handling UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The grant table code in Xen has a bespoke semi-lockfree allocator for recording grant mappings ("maptrack" entries). This allocator has a race which allows the free list to be corrupted. Specifically: the code for removing an entry from the free list, prior to use, assumes (without locking) that if inspecting head item shows that it is not the tail, it will continue to not be the tail of the list if it is later found to be still the head and removed with cmpxchg. But the entry might have been removed and replaced, with the result that it might be the tail by then. (The invariants for the semi-lockfree data structure were never formally documented.) Additionally, a stolen entry is put on the free list with an incorrect link field, which will very likely corrupt the list. IMPACT ====== A malicious guest administrator can crash the host, and can probably escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen 4.6 and later are vulnerable. Xen 4.5 and earlier are not vulnerable. MITIGATION ========== There is no mitigation for this vulnerability. CREDITS ======= This issue was discovered by Ian Jackson of Citrix. ==================================== Xen Security Advisory CVE-2017-12135 / XSA-226 version 6 multiple problems with transitive grants UPDATES IN VERSION 6 ==================== Patches actually addressing the issue have become ready. ISSUE DESCRIPTION ================= 1) Code to handle copy operations on transitive grants has built in retry logic, involving a function reinvoking itself with unchanged parameters. Such use assumes that the compiler would also translate this to a so called "tail call" when generating machine code. Empirically, this is not commonly the case, allowing for theoretically unbounded nesting of such function calls. 2) The reference counting and locking discipline for transitive grants is broken. Concurrent use of the transitive grant can leak references on the transitively-referenced grant. IMPACT ====== A malicious or buggy guest may be able to crash Xen. Privilege escalation and information leaks cannot be ruled out. A malicious or buggy guest can leak references on grants it has been given, amounting to a DoS against the grantee. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. The security team would also like to thank Amazon for helping to identify that the problems with transitive grants were deeper than originally believed.
@Security, Sorry to over-populate the ticket but I would like to make the information easier to process. [Xen Security Advisory 229 (CVE-2017-12134)] CVE-2017-12134(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12134): The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation. [Xen Security Advisory CVE-2017-12135 / XSA-226] CVE-2017-12135(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12135): Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants. [Xen Security Advisory CVE-2017-12136 / XSA-228] CVE-2017-12136(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12136): Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling. [Xen Security Advisory 227 (CVE-2017-12137)] CVE-2017-12137(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12137): arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref.
this should be fixed now, all <=XSA-244 should be fixed with =app-emulation/xen-4.8.2-r1 && =app-emulation/xen-tools-4.8.2-r1 pushed
(In reply to Yixun Lan from comment #3) > comment #3 Thank you, Whiteboard now change.
also, cc amd64,x86 when ready for stable please, thank you again.
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201801-14 at https://security.gentoo.org/glsa/201801-14 by GLSA coordinator Thomas Deutschmann (whissi).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a65a72c5bf82bef9f6a7fd525ca42a7c7027d5e7 commit a65a72c5bf82bef9f6a7fd525ca42a7c7027d5e7 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-11-08 20:10:18 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-11-08 20:53:24 +0000 package.mask: Last rite <dev-python/numpy-1.14.5 & revdeps Bug: https://bugs.gentoo.org/627962 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 10 ++++++++++ 1 file changed, 10 insertions(+)