Mailing List Archive

Xen Security Advisory 255 (CVE-2018-7541) - grant table v2 -> v1 transition may crash Xen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Xen Security Advisory CVE-2018-7541 / XSA-255
version 4

grant table v2 -> v1 transition may crash Xen

UPDATES IN VERSION 4
====================

CVE assigned.

ISSUE DESCRIPTION
=================

Grant tables come in two flavors (versions), and domains are permitted
to freely change between them (subject to certain constraints). For
the guest to use the facility, both the "normal" shared pages
(applicable to v1 and v2) and the "status" pages (applicable to v2
only) need to be mapped by the guest into its address space.

When transitioning from v2 to v1, the status pages become unnecessary
and are therefore freed by Xen. That means Xen needs to check that
there are no mappings of those pages by the domain. However, that
check was mistakenly implemented as a bug check, rather than returning
an error to the guest.

IMPACT
======

A malicious or buggy guest may cause a hypervisor crash, resulting in
a Denial of Service (DoS) affecting the entire host. Privilege
escalation as well as information leaks cannot be ruled out for HVM,
PVH (both x86), and ARM guests.

The impact is more severe for Xen versions 4.0.x, 4.1.0 ... 4.1.3, and
4.2 in that the pages are freed without any checking, thus allowing
their re-use for another domain, or by Xen itself, while there still
are active mappings (see XSA-26).

VULNERABLE SYSTEMS
==================

Xen versions 4.0 and newer are vulnerable.

Both x86 and ARM systems are vulnerable.

MITIGATION
==========

Using the "gnttab=max_ver:1" hypervisor command line option, where
available, to disable use of v2 grant tables allows to avoid the
vulnerability. Use of this option will, however, break any guests which
require to make use of v2 functionality. The patch introducing this
option was not merged so far, but is available (in its current form) at
https://lists.xenproject.org/archives/html/xen-devel/2018-02/msg00059.html
("common/gnttab: Introduce command line feature controls").

There is no other known mitigation.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa255-?.patch xen-unstable, Xen 4.10.x
xsa255-4.9-?.patch Xen 4.9.x, Xen 4.8.x
xsa255-4.7-?.patch Xen 4.7.x
xsa255-4.6-?.patch Xen 4.6.x

$ sha256sum xsa255*
05a5570ecf4354f7aad35bb77a4c2f5f556bcabf3555829a98c94dcfb6dd4696 xsa255-1.patch
df43a147f1e1a2b7d59588bc91cdaac05d4e45bcfc4e2c8cb5e8de840d44b43d xsa255-2.patch
be62d81583df10a6be275427d5cfa02084c8717473b3694cd2a9bbdc10cbadcb xsa255-4.6-1.patch
3dd58114c5ce68fd8dd43f8f92eaafdcec1fd9add37eb41faed1cf818058539a xsa255-4.6-2.patch
9bfc4a33a0faeb36aec8449ea940cef52d523cc3d13529b4eeaae64bf5a7b644 xsa255-4.7-1.patch
6d95ceb54298de7863dc7133c0f3adf85f7da9b8d326146ff46e641194a47fc0 xsa255-4.7-2.patch
0b4706f0d2d21d4f6414ae9c0205e553bfb792c23d44e129b3a0f90be557d13f xsa255-4.9-1.patch
9c6b2d2183ffa484182ca75e1a048d0713c4d150e750ccf58be5a24991a3e1de xsa255-4.9-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

However, deployment of the mitigation is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List). Specifically, deployment on public cloud systems
is NOT permitted. This is because this produces a guest-visible
change which will indicate which component contains the vulnerability.

Additionally, distribution of updated software is prohibited (except to
other members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJal/zSAAoJEIP+FMlX6CvZT6EH/1V/ZKiEzRRz7zdQtP29RKFJ
vlqhVO76d1jerdS19crtthQIP9y0hXBBZqLOcbkzH1JrSA9Zt6GrsvOBB/YTczzr
8pEBEapnlUbTr6zk0V6+maXtmIzmmMhUjy6qvdZIE3qs9gxS2ZQkAAFRJNP/mPNY
3saNnh1h66ojWmGZYq6Corb3bNbOEX51uKNsUP8f5jbPSNPV6iwgQ5ogM3HsI+LV
vibg2VVnlDlHP5Wf2Bzz7KQOUR+FH+4fyJoUJIK7nwWQikBp5Px7uvGBiNcwwUG6
fpEKB1QnrW1FVl9CkrqzcFJs2ChjFW9mORTflth5Ai7g86ZyEtVdhfJNav4mLmk=
=+53n
-----END PGP SIGNATURE-----