733914 – (CVE-2020-15852) app-emulation/xen: IO port permissions regression in kernel >= 5.5 (CVE-2020-15852)

Bug 733914 (CVE-2020-15852) - app-emulation/xen: IO port permissions regression in kernel >= 5.5 (CVE-2020-15852)

Summary: app-emulation/xen: IO port permissions regression in kernel >= 5.5 (CVE-2020-...

Status:	RESOLVED FIXED

Alias:	CVE-2020-15852

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://lists.xenproject.org/archives...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-07-25 23:57 UTC by Sam James
Modified:	2021-09-10 11:14 UTC (History)
CC List:	5 users (show)

See Also:	CVE-2020-15563, CVE-2020-15564, CVE-2020-15565, CVE-2020-15566, CVE-2020-15567
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-07-25 23:57:26 UTC

From URL:
"Linux 5.5 overhauled the internal state handling for the iopl() and ioperm()
system calls.  Unfortunately, one aspect on context switch wasn't wired up
correctly for the Xen PVOps case.

IMPACT
======

IO port permissions don't get rescinded when context switching to an
unprivileged task.  Therefore, all userspace can use the IO ports granted to
the most recently scheduled task with IO port permissions.

VULNERABLE SYSTEMS
==================

Only x86 guests are vulnerable.

All versions of Linux from 5.5 are potentially vulnerable.

Linux is only vulnerable when running as x86 PV guest.  Linux is not
vulnerable when running as an x86 HVM/PVH guests.

The vulnerability can only be exploited in domains which have been granted
access to IO ports by Xen.  This is typically only the hardware domain, and
guests configured with PCI Passthrough."

Comment 1 Sam James archtester

2020-07-25 23:59:03 UTC

Please apply this patch if appropriate: https://lists.xenproject.org/archives/html/xen-announce/2020-07/binjSCTODhPNE.bin

Comment 2 Sam James archtester

2020-08-03 07:54:53 UTC

ping

Comment 3 Tomáš Mózes 2020-08-03 08:20:31 UTC

This is fixed in Linux Kernel in versions 5.5+, nothing to do in Xen. Since we don't have a stable kernel above 5.4, we can just prune kernel <5.7.10.

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.10:

commit 3bbf8195e79707268f4fd072d7575ced0207e4ef
Author: Andy Lutomirski <luto@kernel.org>
Date:   Fri Jul 17 16:53:55 2020 -0700

    x86/ioperm: Fix io bitmap invalidation on Xen PV
    
    commit cadfad870154e14f745ec845708bc17d166065f2 upstream.
    
    tss_invalidate_io_bitmap() wasn't wired up properly through the pvop
    machinery, so the TSS and Xen's io bitmap would get out of sync
    whenever disabling a valid io bitmap.
    
    Add a new pvop for tss_invalidate_io_bitmap() to fix it.
    
    This is XSA-329.
    
    Fixes: 22fe5b0439dd ("x86/ioperm: Move TSS bitmap update to exit to user work")
    Signed-off-by: Andy Lutomirski <luto@kernel.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/d53075590e1f91c19f8af705059d3ff99424c020.1595030016.git.luto@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Comment 4 John Helmert III archtester

2020-08-03 14:55:44 UTC

(In reply to Tomáš Mózes from comment #3)
> This is fixed in Linux Kernel in versions 5.5+, nothing to do in Xen. Since
> we don't have a stable kernel above 5.4, we can just prune kernel <5.7.10.

Thanks. CCing kernel@.

Comment 5 Sam James archtester

2020-08-06 17:04:12 UTC

(yes, apologies -- it was a bit late!)

Comment 6 John Helmert III archtester

2021-09-10 11:14:48 UTC

Kernel issue so no GLSA; no affected kernels in tree. Closing.