Date: Tue, 20 Jun 2017 12:00:08 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 222 - stale P2M mappings due to insufficient error checking -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-222 version 2 stale P2M mappings due to insufficient error checking UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= Certain actions require removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). If this allocation fails, these errors are ignored by the callers, which would then continue and (for example) free the referenced page for reuse. This leaves the guest with a mapping to a page it shouldn't have access to. The allocation involved comes from a separate pool of memory created when the domain is created; under normal operating conditions it never fails, but a malicious guest may be able to engineer situations where this pool is exhausted. IMPACT ====== A malicious guest may be able to access memory it doesn't own, potentially allowing privilege escalation, host crashes, or information leakage. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2 onwards are vulnerable. Older versions have not been inspected. Both x86 and ARM systems are vulnerable. On x86 systems, only HVM guests can leverage the vulnerability. MITIGATION ========== On x86, specifying "hap_1gb=0 hap_2mb=0" on the hypervisor command line will avoid the vulnerability. Alternatively, running all x86 HVM guests in shadow mode will also avoid this vulnerability. (For example, by specifying "hap=0" in the xl domain configuration file.) There is no known mitigation on ARM systems. CREDITS ======= This issue was discovered by Julien Grall of ARM. RESOLUTION ========== Applying the appropriate pair of attached patches resolves this issue. xsa222-.patch xen-unstable xsa222-1.patch, xsa222-2-4.8.patch Xen 4.8.x xsa222--4.7.patch Xen 4.7.x xsa222--4.6.patch Xen 4.6.x xsa222-1-4.6.patch, xsa222-2-4.5.patch Xen 4.5.x $ sha256sum xsa222* 8bd8807ee1cfe01c86194f5d5be38618ba5e0c1206667bb119ed952e5d155c1a xsa222-1.patch 9288dfcae1f37e6c8f13910046f43ec161710abb7c94a9346b7e0eaba3258ccd xsa222-1-4.6.patch ebc2c070bad8012a196e984b568a72e013ff072bb077870508f09ed053c1a4c2 xsa222-1-4.7.patch ee320b37b365cb3b6660e559902ff8bb50657b2a28ff0fa7ebaf9ffd33fc0942 xsa222-2.patch 97768f4fe564f702de8e4aebd0c4d24858814ebbb7be532b376cfae7ad6834a4 xsa222-2-4.5.patch 4142f76673b996b65301d52216cbf56e27b0c86e5607f6a9eb18dcc7df3f6343 xsa222-2-4.6.patch a640e190b32e82f5ec7ee4968bf8b9f22137e8379314cc9a29556637c3dc8e87 xsa222-2-4.7.patch ab43bd590139bed53957b3b37b854183c69bee26cf7cb00900e3f4a150d067a5 xsa222-2-4.8.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJZSQ3UAAoJEIP+FMlX6CvZUd8H/0Lre7nvQJ+AWb5f9ztcOHcM Yi+ztFhfKhi9eLrJTGSQqso5rf4Fqf96E+J0UKV5eiI4/u/tRYdhb2kVsv0cwmWR 8npcnpsacTqIzPttTtwiJ4pCh7JM5/OMmEJtuBZHqgw21nCOzIEQjPJTsW0nnnfq uh20P15sf8ag1mT0N17WuNV1mxdbS6ZqpZMwTYSJfp409oXftsfBkHeH1a9ajdf/ yFZbJQpJ9eizRfZSxmSGMa02V90zQp9vnHhMm1hpy+RrywRysfAVwv4cfIeduo1t 6R3qS+2gAR5YgDvISurBJLAcK1Q0p1qxH5JQd3sYCOPeX3qbbvZ2wDmqPclxa4s= =iwX3 -----END PGP SIGNATURE----- Download attachment "xsa222-1.patch" of type "application/octet-stream" (4227 bytes) Download attachment "xsa222-1-4.6.patch" of type "application/octet-stream" (3851 bytes) Download attachment "xsa222-1-4.7.patch" of type "application/octet-stream" (3890 bytes) Download attachment "xsa222-2.patch" of type "application/octet-stream" (14098 bytes) Download attachment "xsa222-2-4.5.patch" of type "application/octet-stream" (13715 bytes) Download attachment "xsa222-2-4.6.patch" of type "application/octet-stream" (13825 bytes) Download attachment "xsa222-2-4.7.patch" of type "application/octet-stream" (14631 bytes) Download attachment "xsa222-2-4.8.patch" of type "application/octet-stream" (14461 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ