Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1eKNVR-0008GI-Sv@xenbits.xenproject.org>
Date: Thu, 30 Nov 2017 11:59:53 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 247 (CVE-2017-17045) - Missing p2m error
 checking in PoD code

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2017-17045 / XSA-247
                              version 3

                 Missing p2m error checking in PoD code

UPDATES IN VERSION 3
====================

CVE assigned.

Fixed "Reported-by" tags in patch commit messages.

ISSUE DESCRIPTION
=================

Certain actions require modification of entries in a guest's P2M
(Physical-to-Machine) table.  When large pages are in use for this
table, such an operation may incur a memory allocation (to replace a
large mapping with individual smaller ones).  If this allocation
fails, the p2m_set_entry() function will return an error.

Unfortunately, several places in the populate-on-demand code don't
check the return value of p2m_set_entry() to see if it succeeded.

In some cases, the operation was meant to remove an entry from the p2m
table.  If this removal fails, a malicious guest may engineer that the
page be returned to the Xen free list, making it available to be
allocated to another domain, while it retains a writable mapping to
the page.

In other cases, the operation was meant to remove special
populate-on-demand entries; if this removal fails, the internal
accounting becomes inconsistent and may eventually hit a BUG().

The allocation involved comes from a separate pool of memory created
when the domain is created; under normal operating conditions it never
fails, but a malicious guest may be able to engineer situations where
this pool is exhausted.

IMPACT
======

An unprivileged guest can retain a writable mapping of freed memory.
Depending on how this page is used, it could result in either an
information leak, or full privilege escalation.

Alternatively, an unprivileged guest can cause Xen to hit a BUG(),
causing a clean crash - ie, host-wide denial-of-service (DoS).

VULNERABLE SYSTEMS
==================

All systems from Xen 3.4 are vulnerable.

Only x86 systems are vulnerable.  ARM is not vulnerable.

x86 PV VMs cannot leverage the vulnerability.

Only systems with 2MiB or 1GiB HAP pages enabled are vulnerable.

The vulnerability is largely restricted to HVM guests which have been
constructed in Populate-on-Demand mode (i.e. with memory < maxmem):

x86 HVM domains without PoD (i.e. started with memory == maxmem, or
without mentioning "maxmem" in the guest config file) also cannot
leverage the vulnerability, in recent enough Xen versions:
  4.8.x and later: all versions safe if PoD not configured
  4.7.x: 4.7.1 and later safe if PoD not configured
  4.6.x: 4.6.4 and later safe if PoD not configured
  4.5.x: 4.5.4 and later safe if PoD not configured
  4.4.x and earlier: all versions vulnerable even if PoD not configured

The commit required to prevent this vulnerability when PoD
not configured is 2a99aa99fc84a45f505f84802af56b006d14c52e
  xen/physmap: Do not permit a guest to populate PoD pages for itself
and the corresponding backports.

MITIGATION
==========

Running only PV guests will avoid this issue.

Running HVM guests only in non-PoD mode (maxmem == memory) will also
avoid this issue.  NOTE: In older releases of Xen, an HVM guest can
create PoD entries itself; so this mitigation will not be effective.

Specifying "hap_1gb=0 hap_2mb=0" on the hypervisor command line will
also avoid the vulnerability.

Alternatively, running all x86 HVM guests in shadow mode will also
avoid this vulnerability.  (For example, by specifying "hap=0" in the
xl domain configuration file.)

CREDITS
=======

This issue was discovered by George Dunlap of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa247/*.patch           xen-unstable
xsa247-4.9/*.patch       Xen 4.9.x
xsa247-4.8/*.patch       Xen 4.8.x
xsa247-4.7/*.patch       Xen 4.7.x
xsa247-4.6/*.patch       Xen 4.6.x
xsa247-4.5/*.patch       Xen 4.5.x

$ sha256sum xsa247* xsa247*/*
e8fc454c35f429ab60b94c0e812f86fd2b3b37edfff2bfdcc13a7e13ebc2efbe  xsa247.meta
3a8c0e02e9c94f68119f21a334ef70c409b71270c7de223d7d9163dbc1cfa286  xsa247-4.5/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu.patch
6851ec78da2e91b03c8f3016311d32354a4dacf99ad20ea4f5dc1ed493d42a60  xsa247-4.5/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch
dce7e6c1961a85f59d20a3a98ea02d677a4956c3caf5273ea0b890d977cda3e5  xsa247-4.6/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu.patch
110de2762531654b77fc38e4f2ee0bae76233e59557c6f6190e839065f9563cc  xsa247-4.6/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch
d149342e4d40dfb550f8af6d05cd20a34889d64fb33f967fe77cf89b4ea8504a  xsa247-4.7/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu.patch
3c8a7bfdb408af0224cf6f5471b0fd9dd1a9a1ded7207e427b02268ca2906aa6  xsa247-4.7/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch
7ddbd99a30dcddc9a4e0dc7e2f4cfa63abb6237c6d9a706b729cf9df5f34b869  xsa247-4.8/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu.patch
4574e27bb76d6dbb357b4dd8efa5fbbbffa69d17ea9c8f8330d3ef19f6cb3fce  xsa247-4.8/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch
2d0656e84be3b8eb828c199463c5532bddd16cf6e1159ce512a304ef85359422  xsa247-4.9/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu.patch
f7429ae9fc9934d3a91aa6f3b9d2dc7a7e464128e4e2a8a71e7c8f26affdb731  xsa247-4.9/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch
024bce64257936048dff6cd66a0ba3212985cad42e78357a1c3513873099ebe2  xsa247/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu.patch
32bb016003d7c37452222cacf22e74b4d29a227d6a808ae89c83293a2bd12f40  xsa247/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators, with ONE exception:

Removing the ability to boot in populate-on-demand mode is NOT
permitted during the embargo on public cloud systems.  This is because
doing so might alert attackers to the nature of the vulnerability.
Deployment of this mitigation is permitted only AFTER the embargo
ends.

Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJaH/KPAAoJEIP+FMlX6CvZXrkH/AyVeBsY/MhMmPp7lfV9no52
FHQJF84UDrVDuYeQGVLbTcpXW+3ndEnLrg7Y2N6r6be1qn/KSKLtRO1gh+4mpRg4
n/bBKjldHTsVtr2lb51w6cd0AnibqP+9aSdT5qfselBVpwPBIuDsmny7ZQQnhZuN
CwRiKp8uNQ/RNxZHPOZ0k5FmugKQcysj0kSjtNvP+11Fk2b8tJP5o4tMozP/+Umu
kv9YAp5WxqqJUHtb25Abf7pszgmp72a19ajvUZK0TPNTajKbQBnBNEoC+GoocFjV
eu1iVOxduinIoCjNE/67GXQWajsF6ANnWz+dka306C4BS5WXWOWpMbdaAuLCq7Q=
=wtMZ
-----END PGP SIGNATURE-----

Download attachment "xsa247.meta" of type "application/octet-stream" (1891 bytes)

Download attachment "xsa247-4.5/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu.patch" of type "application/octet-stream" (6505 bytes)

Download attachment "xsa247-4.5/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch" of type "application/octet-stream" (4149 bytes)

Download attachment "xsa247-4.6/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu.patch" of type "application/octet-stream" (6505 bytes)

Download attachment "xsa247-4.6/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch" of type "application/octet-stream" (4155 bytes)

Download attachment "xsa247-4.7/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu.patch" of type "application/octet-stream" (6463 bytes)

Download attachment "xsa247-4.7/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch" of type "application/octet-stream" (4302 bytes)

Download attachment "xsa247-4.8/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu.patch" of type "application/octet-stream" (6439 bytes)

Download attachment "xsa247-4.8/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch" of type "application/octet-stream" (4266 bytes)

Download attachment "xsa247-4.9/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu.patch" of type "application/octet-stream" (6439 bytes)

Download attachment "xsa247-4.9/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch" of type "application/octet-stream" (4266 bytes)

Download attachment "xsa247/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu.patch" of type "application/octet-stream" (6222 bytes)

Download attachment "xsa247/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch" of type "application/octet-stream" (4167 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.