|
Message-Id: <E1h194c-0001G4-TC@xenbits.xenproject.org> Date: Tue, 05 Mar 2019 12:21:30 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 287 v2 - x86: steal_page violates page_struct access discipline -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-287 version 2 x86: steal_page violates page_struct access discipline UPDATES IN VERSION 2 ==================== Metadata updated to remove dependency on XSA-283. Public release. ISSUE DESCRIPTION ================= Xen's reference counting rules were designed to allow pages to change owner and state without requiring a global lock. Each page has a page structure, and a very specific set of access disciplines must be observed to ensure that pages are freed properly, and that no writable mappings exist for PV pagetable pages. Unfortunately, when the XENMEM_exchange hypercall was introduced, these access disciplines were violated, opening up several potential race conditions. IMPACT ====== A single PV guest can leak arbitrary amounts of memory, leading to a denial of service. A cooperating pair of PV and HVM/PVH guests can get a writable pagetable entry, leading to information disclosure or privilege escalation. Privilege escalation attacks using only a single PV guest or a pair of PV guests have not been ruled out. Note that both of these attacks require very precise timing, which may be difficult to exploit in practice. VULNERABLE SYSTEMS ================== Only x86 systems are vulnerable. Only systems which run PV guests are vulnerable. Systems which run only HVM/PVH guests are not vulnerable. MITIGATION ========== Running only HVM or PVH guests will avoid these vulnerabilities. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa287.patch xen-unstable xsa287-4.11.patch Xen 4.11.x xsa287-4.10.patch Xen 4.10.x xsa287-4.9.patch Xen 4.9.x xsa287-4.8.patch Xen 4.8.x xsa287-4.7.patch Xen 4.7.x $ sha256sum xsa287* ae2b9261e26df871693478629c63970ba30817ee1dcb2266b89d8b067833c1b3 xsa287.meta 7de1b886d69dd7c497f88d41adf9a6f7cf9a305fd8ae9d714e1125e2a22208ab xsa287.patch 55f40f2f9bb41c85ac80dac775352e28b25fada80dae574e9d10300d5e2b91ce xsa287-4.7.patch 57312ff131eb6b51235723e862adf42ad3529ed13135375875c054fa0b55f80b xsa287-4.8.patch 34f4b835766a38bcf4066ccbab74676eda176e15ed2a6bd7884678a64507f89a xsa287-4.9.patch c7eaf8a325011dda84b02ee097ddbc7b5f2f4d3399de545a3a7b14e2d23f4278 xsa287-4.10.patch 6793315f714a249a4fad12b36559640b2f97f19f5b85f0d58694c6e78aa3d567 xsa287-4.11.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlx+aa0MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ4ZMH/2inEgYog1U9+y+3hMQSMYx69bjZ6/0uHn4FnqPm 39Z/FUTjVjCz3GF2zHjsA1YpKCQJ6WLZhtADyed6NyXd8ux64+henAwiStVhSdvC 4HgxQIIenqM/ixJSYWHv6iEJKAAbCcN0Q4OW4/CH2Pax+pm58axor1zOGisLhopN pNJRlQ6uTFSLvTd7N2UGg/q0HADChtIOM/iZi3jMiQ1JJvWG2EjWHQdSpW5kxkV3 LYzaMa7tfeQ2EkCkji5xS/nWkET817b/obTWl3YlTAbPoDsTNMHhjwtsWmqLw4/r eg7+HGB2tAPrG0pqE9DPH99OMeDnLE2A917nXmNF6S8EgKU= =/95T -----END PGP SIGNATURE----- Download attachment "xsa287.meta" of type "application/octet-stream" (1822 bytes) Download attachment "xsa287.patch" of type "application/octet-stream" (11786 bytes) Download attachment "xsa287-4.7.patch" of type "application/octet-stream" (11891 bytes) Download attachment "xsa287-4.8.patch" of type "application/octet-stream" (11901 bytes) Download attachment "xsa287-4.9.patch" of type "application/octet-stream" (11962 bytes) Download attachment "xsa287-4.10.patch" of type "application/octet-stream" (11891 bytes) Download attachment "xsa287-4.11.patch" of type "application/octet-stream" (11880 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.