Date: Tue, 27 Feb 2018 12:00:08 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 255 - grant table v2 -> v1 transition may crash Xen -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-255 version 3 grant table v2 -> v1 transition may crash Xen UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Grant tables come in two flavors (versions), and domains are permitted to freely change between them (subject to certain constraints). For the guest to use the facility, both the "normal" shared pages (applicable to v1 and v2) and the "status" pages (applicable to v2 only) need to be mapped by the guest into its address space. When transitioning from v2 to v1, the status pages become unnecessary and are therefore freed by Xen. That means Xen needs to check that there are no mappings of those pages by the domain. However, that check was mistakenly implemented as a bug check, rather than returning an error to the guest. IMPACT ====== A malicious or buggy guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host. Privilege escalation as well as information leaks cannot be ruled out for HVM, PVH (both x86), and ARM guests. The impact is more severe for Xen versions 4.0.x, 4.1.0 ... 4.1.3, and 4.2 in that the pages are freed without any checking, thus allowing their re-use for another domain, or by Xen itself, while there still are active mappings (see XSA-26). VULNERABLE SYSTEMS ================== Xen versions 4.0 and newer are vulnerable. Both x86 and ARM systems are vulnerable. MITIGATION ========== Using the "gnttab=max_ver:1" hypervisor command line option, where available, to disable use of v2 grant tables allows to avoid the vulnerability. Use of this option will, however, break any guests which require to make use of v2 functionality. The patch introducing this option was not merged so far, but is available (in its current form) at https://lists.xenproject.org/archives/html/xen-devel/2018-02/msg00059.html ("common/gnttab: Introduce command line feature controls"). There is no other known mitigation. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa255-?.patch xen-unstable, Xen 4.10.x xsa255-4.9-?.patch Xen 4.9.x, Xen 4.8.x xsa255-4.7-?.patch Xen 4.7.x xsa255-4.6-?.patch Xen 4.6.x $ sha256sum xsa255* 05a5570ecf4354f7aad35bb77a4c2f5f556bcabf3555829a98c94dcfb6dd4696 xsa255-1.patch df43a147f1e1a2b7d59588bc91cdaac05d4e45bcfc4e2c8cb5e8de840d44b43d xsa255-2.patch be62d81583df10a6be275427d5cfa02084c8717473b3694cd2a9bbdc10cbadcb xsa255-4.6-1.patch 3dd58114c5ce68fd8dd43f8f92eaafdcec1fd9add37eb41faed1cf818058539a xsa255-4.6-2.patch 9bfc4a33a0faeb36aec8449ea940cef52d523cc3d13529b4eeaae64bf5a7b644 xsa255-4.7-1.patch 6d95ceb54298de7863dc7133c0f3adf85f7da9b8d326146ff46e641194a47fc0 xsa255-4.7-2.patch 0b4706f0d2d21d4f6414ae9c0205e553bfb792c23d44e129b3a0f90be557d13f xsa255-4.9-1.patch 9c6b2d2183ffa484182ca75e1a048d0713c4d150e750ccf58be5a24991a3e1de xsa255-4.9-2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However, deployment of the mitigation is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this produces a guest-visible change which will indicate which component contains the vulnerability. Additionally, distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJalUeyAAoJEIP+FMlX6CvZrgoH/3bGXBS8dUA/59slmiyw7UpG jShI/y+aCo5APtvPVrm+1cM/YOFVCHoZcnL0V+E9VBekCeVo84lfrDwrsU76RWNq vIyPKBBeJbJFCCLatiWWDSEG6MukhhF0xiJy5RuMd/A1d4+6XLsD3y2bIkBb1P13 WzPJcgN1/wMM4A5Tp7MgyncOdm5yODu0A85L4J6fOOGm+LrNErvFpREcivoIKhbq PKm04dSNb3jp7b7J9cVfSH/ZhpD1szwJ9yrddX3zgOF/1jlDi54Bri2potAZRZ0j h+dN4Oh1HUR6NJeTuJqHx/VwFsx7V2zmWZZwsHaI7f/Oe15GRY/vPJNEm3VhNoM= =atsR -----END PGP SIGNATURE----- Download attachment "xsa255-1.patch" of type "application/octet-stream" (5980 bytes) Download attachment "xsa255-2.patch" of type "application/octet-stream" (6100 bytes) Download attachment "xsa255-4.6-1.patch" of type "application/octet-stream" (4249 bytes) Download attachment "xsa255-4.6-2.patch" of type "application/octet-stream" (6773 bytes) Download attachment "xsa255-4.7-1.patch" of type "application/octet-stream" (4186 bytes) Download attachment "xsa255-4.7-2.patch" of type "application/octet-stream" (6772 bytes) Download attachment "xsa255-4.9-1.patch" of type "application/octet-stream" (4169 bytes) Download attachment "xsa255-4.9-2.patch" of type "application/octet-stream" (6690 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.