Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1dhabV-0006du-B7@xenbits.xenproject.org>
Date: Tue, 15 Aug 2017 12:05:49 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 227 (CVE-2017-12137) - x86: PV privilege
 escalation via map_grant_ref

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2017-12137 / XSA-227
                               version 3

            x86: PV privilege escalation via map_grant_ref

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When mapping a grant reference, a guest must inform Xen of where it
would like the grant mapped.  For PV guests, this is done by nominating
an existing linear address, or an L1 pagetable entry, to be altered.

Neither of these PV paths check for alignment of the passed parameter.
The linear address path suitably truncates the linear address when
calculating the L1 entry to use, but the path which uses a directly
nominated L1 entry performs no checks.

This causes Xen to make an incorrectly-aligned update to a pagetable,
which corrupts both the intended entry and the subsequent entry with
values which are largely guest controlled.  If the misaligned value
crosses a page boundary, then an arbitrary other heap page is
corrupted.

IMPACT
======

A PV guest can elevate its privilege to that of the host.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only x86 systems are vulnerable.

Any system running untrusted PV guests is vulnerable.

The vulnerability is exposed to PV stub qemu serving as the device model
for HVM guests.  Our default assumption is that an HVM guest has
compromised its PV stub qemu.  By extension, it is likely that the
vulnerability is exposed to HVM guests which are served by a PV stub
qemu.

MITIGATION
==========

Running only HVM guests, served by a dom0-based qemu, will avoid this
vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa227.patch           xen-unstable, Xen 4.9.x, 4.8.x, 4.7.x
xsa227-4.6.patch       Xen 4.6.x
xsa227-4.5.patch       Xen 4.5.x

$ sha256sum xsa227*
c48cc3be47e81a4ceebcf60659b8755516c68916fc5150920ed42c6b61e3f219  xsa227.meta
9923a47e5f86949800887596f098954a08ef73a01d74b1dbe16cab2e6b1fabb2  xsa227.patch
6f83d0d9ff853192840d2b82d26d8fde21473bf4ac1441a153f3ee02efd1dd67  xsa227-4.5.patch
162b991b27b86f210089526a01cae715563d3a069c92f42538b423bba7709fcc  xsa227-4.6.patch
$

(The .meta file is a prototype machine-readable file for describing
which patches are to be applied how.)

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJZkuNOAAoJEIP+FMlX6CvZ9wsH/3/DA8EENxPdhgoNEihvHgPP
rquggFGcmgiJZyuy6+e3PZKUwQmUcVdPuVE5h+8NWYRCTjxa15LC/auAmkMHP170
f7nkSA6oU0zT1mxxqWWjht+CCJ56dmpJN+WGXQMasVEO9PLYR7gOxf90rqDuzqE8
zcQA4OyIOpsEH4Y2k2hjYFeLleWSLZKSPAy8fupZv34FakZDDLgxPMdWSrYQX/pP
r2QmLoVk4pSQYZzy5aAZWgLugR+ewOmgYTntzGYSEB2VqEgl6vtA8STVqB5WsYZ4
eumUUZRBUeo9n2U9TgWPmKr5JtvC9w2/cjV6HysO5vUwuLJUICX25O9BE3VnBs0=
=ulEd
-----END PGP SIGNATURE-----

Download attachment "xsa227.meta" of type "application/octet-stream" (1867 bytes)

Download attachment "xsa227.patch" of type "application/octet-stream" (1535 bytes)

Download attachment "xsa227-4.5.patch" of type "application/octet-stream" (1934 bytes)

Download attachment "xsa227-4.6.patch" of type "application/octet-stream" (1977 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.