Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1dNHpJ-00069v-G6@xenbits.xenproject.org>
Date: Tue, 20 Jun 2017 12:00:09 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 224 - grant table operations mishandle
 reference counts

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-224
                              version 4

           grant table operations mishandle reference counts

UPDATES IN VERSION 4
====================

Correct 4.5 backports (first patch had an issue which then was
corrected by last one).

Public release.

ISSUE DESCRIPTION
=================

We have discovered a number of bugs in the code mapping and unmapping
grant references.

* If a grant is mapped with both the GNTMAP_device_map and
GNTMAP_host_map flags, but unmapped only with host_map, the device_map
portion remains but the page reference counts are lowered as though it
had been removed. This bug can be leveraged cause a page's reference
counts and type counts to fall to zero while retaining writeable
mappings to the page.

* Under some specific conditions, if a grant is mapped with both the
GNTMAP_device_map and GNTMAP_host_map flags, the operation may not
grab sufficient type counts.  When the grant is then unmapped, the
type count will be erroneously reduced.  This bug can be leveraged
cause a page's reference counts and type counts to fall to zero while
retaining writeable mappings to the page.

* When a grant reference is given to an MMIO region (as opposed to a
normal guest page), if the grant is mapped with only the
GNTMAP_device_map flag set, a mapping is created at host_addr anyway.
This does *not* cause reference counts to change, but there will be no
record of this mapping, so it will not be considered when reporting
whether the grant is still in use.

IMPACT
======

For the worst issue, a PV guest could gain a writeable mapping of its
own pagetable, allowing it to escalate its privileges to that of the
host.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only x86 systems are vulnerable.

Any system running untrusted PV guests is vulnerable.

Systems with untrusted HVM guests are only vulnerable if those guests
are served by a trusted PV backend which is vulnerable: Namely, one
which calls grant_map() with both the GNTMAP_device_map and
GNTMAP_host_map flags.  The security team is not aware of any backends
which are vulnerable.

MITIGATION
==========

Running only HVM guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate set of attached patched resolves this issue.
Note that these patches are assumed to be applied on top of the XSA-218
ones; not doing so may cause at least mechanical problems of applying
the ones here.

xsa224-unstable/*.patch         xen-unstable
xsa224-4.8/*.patch       Xen 4.8.x
xsa224-4.7/*.patch       Xen 4.7.x
xsa224-4.6/*.patch       Xen 4.6.x
xsa224-4.5/*.patch       Xen 4.5.x

$ sha256sum xsa224*/*
db39535185c1879775b62873fbed1e6285300ec1e1bd5d09ac2d96a98ac6443c  xsa224-unstable/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
1588257f5b0c7113cd478475014f56fbeb6e79de7acbe67cf6d7a265e2b3fa15  xsa224-unstable/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
a7517ca0e253fb9fb5b1ea1e56d04167f32ef87be145462a15241af26e4e0d65  xsa224-unstable/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
951217a88f9c945eb9f7933cd66615aef955206fab955020334ac54da05663fa  xsa224-unstable/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
190470fbd77fca58aab89a9bd034732525ce8f7ce7c417a0ca5d25b366639baa  xsa224-4.5/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
9374e4dd6666a63fb32e6cfbdc95071b0cc153ff7cb2d2efdd98468e0e079605  xsa224-4.5/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
d825e6fa5827e28e3755c92b274044666cc91b6a8cbc16e2081f43e0371991d4  xsa224-4.5/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
d3aaffaf487a84e43fe10f7dec5af72b64d1b2315440c36335a0ed8ec1439ca1  xsa224-4.5/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
c6cd6b82ef774bec5eaad5f32e767c917bc7ad2a73ee81d3f7eef67aaf1a1330  xsa224-4.6/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
db32d15757c9d147c7e89eebd10a16324e59141fbb5ce3feb87fc9bf01864a6a  xsa224-4.6/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
6bc9bbcf320d673822bd41545a014bd998294d06c5b38d79a6badf1a154ed0d6  xsa224-4.6/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
088064fec3192928f205b34b808ca40fd685a8ba5037bb665ed0a4f87d6d4035  xsa224-4.6/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
cdd93fb950b823cf96fe52685f6394c1b5e0a1e3d7d3c961a5e781da83551a9f  xsa224-4.7/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
0583da31891084b2557a9623bc2b11a480e296004a8716b91c79fe28a824a6e0  xsa224-4.7/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
2323bf581a835f152285b98ed2e4b5b503b0f67bd8e3449d33e8fe03b14ce064  xsa224-4.7/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
b4f4adb1ea850e0174e51f76da7e97769211977c71809bd62102d33d90444b09  xsa224-4.7/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
88b20e6765f0bfffe7598215f3a8e25c0931dbe3c7223cb3c08f998842cfc14b  xsa224-4.8/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
ce62c97f470d6fbf557f50be8936051e91592a6330527515b7cdb187a0d633b2  xsa224-4.8/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
5fd8cd67737c6a038d6c47fcf3c5bd2d238f4ac361538d650292ee185bda8000  xsa224-4.8/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
f9c65c7f04063872602c609d2fc3caffc44716b3d378569969a7884abe881a19  xsa224-4.8/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJZSQ3YAAoJEIP+FMlX6CvZD8IH/3wQYr87n4rcqeAZl9afsouD
kvasR7upPlxm8gH9wEz5PCg4thPKh1X1dNQhefTUMujPGUdxGgz9DYISukHCksso
Avf5Ge/76k2Xxw9CjH3T5pgYK7V95ABc0omfvHeL8gJjTOwPSrBZkUOEQxUrGSFp
/Q4op0BIIyOUR4TdYyl5gWlQJC1leTCKSvsqju31BdvOg+kJF7aU1NUho5qgXTa8
lq/UjVFufZyhxK371q7eYKDZcFiDngzlRXu5Mz1uowTOJHWwgkRLFJ0kl5NK7O+j
JWSwmJZxBw6yw+sxCwBTKkskxietGRQU9Febz+Aj3Urma3djiBNeazU9t0BEq0E=
=PeqY
-----END PGP SIGNATURE-----

Download attachment "xsa224-unstable/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch" of type "application/octet-stream" (3952 bytes)

Download attachment "xsa224-unstable/0002-gnttab-never-create-host-mapping-unless-asked-to.patch" of type "application/octet-stream" (1376 bytes)

Download attachment "xsa224-unstable/0003-gnttab-correct-logic-to-get-page-references-during-m.patch" of type "application/octet-stream" (6124 bytes)

Download attachment "xsa224-unstable/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch" of type "application/octet-stream" (11573 bytes)

Download attachment "xsa224-4.5/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch" of type "application/octet-stream" (3966 bytes)

Download attachment "xsa224-4.5/0002-gnttab-never-create-host-mapping-unless-asked-to.patch" of type "application/octet-stream" (1376 bytes)

Download attachment "xsa224-4.5/0003-gnttab-correct-logic-to-get-page-references-during-m.patch" of type "application/octet-stream" (6119 bytes)

Download attachment "xsa224-4.5/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch" of type "application/octet-stream" (11051 bytes)

Download attachment "xsa224-4.6/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch" of type "application/octet-stream" (3948 bytes)

Download attachment "xsa224-4.6/0002-gnttab-never-create-host-mapping-unless-asked-to.patch" of type "application/octet-stream" (1376 bytes)

Download attachment "xsa224-4.6/0003-gnttab-correct-logic-to-get-page-references-during-m.patch" of type "application/octet-stream" (6125 bytes)

Download attachment "xsa224-4.6/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch" of type "application/octet-stream" (11599 bytes)

Download attachment "xsa224-4.7/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch" of type "application/octet-stream" (3948 bytes)

Download attachment "xsa224-4.7/0002-gnttab-never-create-host-mapping-unless-asked-to.patch" of type "application/octet-stream" (1376 bytes)

Download attachment "xsa224-4.7/0003-gnttab-correct-logic-to-get-page-references-during-m.patch" of type "application/octet-stream" (6124 bytes)

Download attachment "xsa224-4.7/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch" of type "application/octet-stream" (11596 bytes)

Download attachment "xsa224-4.8/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch" of type "application/octet-stream" (3948 bytes)

Download attachment "xsa224-4.8/0002-gnttab-never-create-host-mapping-unless-asked-to.patch" of type "application/octet-stream" (1376 bytes)

Download attachment "xsa224-4.8/0003-gnttab-correct-logic-to-get-page-references-during-m.patch" of type "application/octet-stream" (6124 bytes)

Download attachment "xsa224-4.8/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch" of type "application/octet-stream" (11597 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.