Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1eqdvU-0006ly-7n@xenbits.xenproject.org>
Date: Tue, 27 Feb 2018 12:00:08 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 255 - grant table v2 -> v1 transition may
 crash Xen

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-255
                              version 3

             grant table v2 -> v1 transition may crash Xen

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Grant tables come in two flavors (versions), and domains are permitted
to freely change between them (subject to certain constraints).  For
the guest to use the facility, both the "normal" shared pages
(applicable to v1 and v2) and the "status" pages (applicable to v2
only) need to be mapped by the guest into its address space.

When transitioning from v2 to v1, the status pages become unnecessary
and are therefore freed by Xen.  That means Xen needs to check that
there are no mappings of those pages by the domain.  However, that
check was mistakenly implemented as a bug check, rather than returning
an error to the guest.

IMPACT
======

A malicious or buggy guest may cause a hypervisor crash, resulting in
a Denial of Service (DoS) affecting the entire host.  Privilege
escalation as well as information leaks cannot be ruled out for HVM,
PVH (both x86), and ARM guests.

The impact is more severe for Xen versions 4.0.x, 4.1.0 ... 4.1.3, and
4.2 in that the pages are freed without any checking, thus allowing
their re-use for another domain, or by Xen itself, while there still
are active mappings (see XSA-26).

VULNERABLE SYSTEMS
==================

Xen versions 4.0 and newer are vulnerable.

Both x86 and ARM systems are vulnerable.

MITIGATION
==========

Using the "gnttab=max_ver:1" hypervisor command line option, where
available, to disable use of v2 grant tables allows to avoid the
vulnerability.  Use of this option will, however, break any guests which
require to make use of v2 functionality.  The patch introducing this
option was not merged so far, but is available (in its current form) at
https://lists.xenproject.org/archives/html/xen-devel/2018-02/msg00059.html
("common/gnttab: Introduce command line feature controls").

There is no other known mitigation.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa255-?.patch         xen-unstable, Xen 4.10.x
xsa255-4.9-?.patch     Xen 4.9.x, Xen 4.8.x
xsa255-4.7-?.patch     Xen 4.7.x
xsa255-4.6-?.patch     Xen 4.6.x

$ sha256sum xsa255*
05a5570ecf4354f7aad35bb77a4c2f5f556bcabf3555829a98c94dcfb6dd4696  xsa255-1.patch
df43a147f1e1a2b7d59588bc91cdaac05d4e45bcfc4e2c8cb5e8de840d44b43d  xsa255-2.patch
be62d81583df10a6be275427d5cfa02084c8717473b3694cd2a9bbdc10cbadcb  xsa255-4.6-1.patch
3dd58114c5ce68fd8dd43f8f92eaafdcec1fd9add37eb41faed1cf818058539a  xsa255-4.6-2.patch
9bfc4a33a0faeb36aec8449ea940cef52d523cc3d13529b4eeaae64bf5a7b644  xsa255-4.7-1.patch
6d95ceb54298de7863dc7133c0f3adf85f7da9b8d326146ff46e641194a47fc0  xsa255-4.7-2.patch
0b4706f0d2d21d4f6414ae9c0205e553bfb792c23d44e129b3a0f90be557d13f  xsa255-4.9-1.patch
9c6b2d2183ffa484182ca75e1a048d0713c4d150e750ccf58be5a24991a3e1de  xsa255-4.9-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

However, deployment of the mitigation is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.  This is because this produces a guest-visible
change which will indicate which component contains the vulnerability.

Additionally, distribution of updated software is prohibited (except to
other members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJalUeyAAoJEIP+FMlX6CvZrgoH/3bGXBS8dUA/59slmiyw7UpG
jShI/y+aCo5APtvPVrm+1cM/YOFVCHoZcnL0V+E9VBekCeVo84lfrDwrsU76RWNq
vIyPKBBeJbJFCCLatiWWDSEG6MukhhF0xiJy5RuMd/A1d4+6XLsD3y2bIkBb1P13
WzPJcgN1/wMM4A5Tp7MgyncOdm5yODu0A85L4J6fOOGm+LrNErvFpREcivoIKhbq
PKm04dSNb3jp7b7J9cVfSH/ZhpD1szwJ9yrddX3zgOF/1jlDi54Bri2potAZRZ0j
h+dN4Oh1HUR6NJeTuJqHx/VwFsx7V2zmWZZwsHaI7f/Oe15GRY/vPJNEm3VhNoM=
=atsR
-----END PGP SIGNATURE-----

Download attachment "xsa255-1.patch" of type "application/octet-stream" (5980 bytes)

Download attachment "xsa255-2.patch" of type "application/octet-stream" (6100 bytes)

Download attachment "xsa255-4.6-1.patch" of type "application/octet-stream" (4249 bytes)

Download attachment "xsa255-4.6-2.patch" of type "application/octet-stream" (6773 bytes)

Download attachment "xsa255-4.7-1.patch" of type "application/octet-stream" (4186 bytes)

Download attachment "xsa255-4.7-2.patch" of type "application/octet-stream" (6772 bytes)

Download attachment "xsa255-4.9-1.patch" of type "application/octet-stream" (4169 bytes)

Download attachment "xsa255-4.9-2.patch" of type "application/octet-stream" (6690 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.