Date: Mon, 20 Aug 2018 09:47:38 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 268 v3 (CVE-2018-15469) - Use of v2 grant tables may cause crash on ARM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2018-15469 / XSA-268 version 3 Use of v2 grant tables may cause crash on ARM UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related hypercalls hitting BUG() checks. IMPACT ====== An unprivileged guest can cause a BUG() check in the hypervisor, resulting in a denial-of-service. VULNERABLE SYSTEMS ================== Only ARM systems are vulnerable. All supported versions of Xen are vulnerable. MITIGATION ========== None. CREDITS ======= This issue was discovered by 王磊 of Samsung. RESOLUTION ========== Applying the appropriate attached patch resolves this issue by preventing a guest from switching to grant v2. xsa268.patch xen-unstable xsa268-4.11.patch Xen 4.11.0 xsa268-4.10-?.patch Xen 4.10.x xsa268-4.9-?.patch Xen 4.9.x, Xen 4.8.x xsa268-4.7-?.patch Xen 4.7.x xsa268-4.6-?.patch Xen 4.6.x $ sha256sum xsa268* f336b45676e73f8b102e5dddf78af2d1d288f9a254142a8a8e9949db55e1cc3b xsa268.meta ca5f69cb8cfb74fae44a0f39f80ec9ae4d269c4895f36311b50d191be97bbcf0 xsa268.patch 93a68a5b23aedc6adf0aae23303dc8eb2c02dc40a5e1d7eb0a1b497cd66da209 xsa268-4.6-1.patch 5b74afd13d96779a72dc34ba7c63a1735cd267fb9bb643f735ac69b0e6ff54d5 xsa268-4.6-2.patch 820e1018f76ef2828b1cbb33e2966b99f6934a80ab55f11749ff847d375d1b02 xsa268-4.7-1.patch 233f7e69e5fb931d2e5cf03f4407f38ff960c039c9eced957df13d3cc37fa6b1 xsa268-4.7-2.patch 4a0c705f0266185b32daf313e686abc340e2fbb1a1644647500fc405bc180913 xsa268-4.9-1.patch ce16eaab94cd1e64f9c9127b64da7ebb6a7758eb540fecc3bbcc2dbfbcc4d7e2 xsa268-4.9-2.patch f413d41fadefe0e275c8bff16a2061bb325f3900b7ccf214a9e97fabf3ee1a89 xsa268-4.10-1.patch 531654f82908c1aa7b0fcea818c82c4b53d4750a697db3353cc05e9e91e5d639 xsa268-4.10-2.patch baeb6b2c28a9cbe929c9cf34398780002fffe12b928df4d1e5951c0a5b51336a xsa268-4.11.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJbeo4HAAoJEIP+FMlX6CvZxYMH/R1pB/0Qh+eYJevI0XZCh0TX TlzPkzvTkif3JUfYtms1rVeXdAUoOaZPrMpzZYFWthOHhHR6Y8tiBWxiRGWuEf0a OaAYTebIQN4U69AUXGaXdA1p1Nnix5guOgljM1EHD3LGEBtadzdYdFfpKrEv1F7L f8fwLULljcfwHKI7Yv/CwGdRAt2YrtIFqry916yc0RHk2nQpLvX8V+8YXWla8zGR 1Vkin0WoR31qkcakJGXO8jXD1Wpn4J+2lAyMpAiPpN7d8F7/cEOj7huRuTkYFQha /sTUc5Dy3kniLptJF+2//dLOjwKQKSKd3c8LJjc8IGPCwfpNpVmLaCiB/93AcWk= =yh+i -----END PGP SIGNATURE----- Download attachment "xsa268.meta" of type "application/octet-stream" (1982 bytes) Download attachment "xsa268.patch" of type "application/octet-stream" (1629 bytes) Download attachment "xsa268-4.6-1.patch" of type "application/octet-stream" (3507 bytes) Download attachment "xsa268-4.6-2.patch" of type "application/octet-stream" (1663 bytes) Download attachment "xsa268-4.7-1.patch" of type "application/octet-stream" (3518 bytes) Download attachment "xsa268-4.7-2.patch" of type "application/octet-stream" (1663 bytes) Download attachment "xsa268-4.9-1.patch" of type "application/octet-stream" (3519 bytes) Download attachment "xsa268-4.9-2.patch" of type "application/octet-stream" (1664 bytes) Download attachment "xsa268-4.10-1.patch" of type "application/octet-stream" (3539 bytes) Download attachment "xsa268-4.10-2.patch" of type "application/octet-stream" (1627 bytes) Download attachment "xsa268-4.11.patch" of type "application/octet-stream" (1642 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.