Mailing List Archive

Xen Security Advisory 268 v3 (CVE-2018-15469) - Use of v2 grant tables may cause crash on ARM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Xen Security Advisory CVE-2018-15469 / XSA-268
version 3

Use of v2 grant tables may cause crash on ARM

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

ARM never properly implemented grant table v2, either in the
hypervisor or in Linux.

Unfortunately, an ARM guest can still request v2 grant tables; they
will simply not be properly set up, resulting in subsequent
grant-related hypercalls hitting BUG() checks.

IMPACT
======

An unprivileged guest can cause a BUG() check in the hypervisor,
resulting in a denial-of-service.

VULNERABLE SYSTEMS
==================

Only ARM systems are vulnerable. All supported versions of Xen are
vulnerable.

MITIGATION
==========

None.

CREDITS
=======

This issue was discovered by ?? of Samsung.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue by
preventing a guest from switching to grant v2.

xsa268.patch xen-unstable
xsa268-4.11.patch Xen 4.11.0
xsa268-4.10-?.patch Xen 4.10.x
xsa268-4.9-?.patch Xen 4.9.x, Xen 4.8.x
xsa268-4.7-?.patch Xen 4.7.x
xsa268-4.6-?.patch Xen 4.6.x

$ sha256sum xsa268*
f336b45676e73f8b102e5dddf78af2d1d288f9a254142a8a8e9949db55e1cc3b xsa268.meta
ca5f69cb8cfb74fae44a0f39f80ec9ae4d269c4895f36311b50d191be97bbcf0 xsa268.patch
93a68a5b23aedc6adf0aae23303dc8eb2c02dc40a5e1d7eb0a1b497cd66da209 xsa268-4.6-1.patch
5b74afd13d96779a72dc34ba7c63a1735cd267fb9bb643f735ac69b0e6ff54d5 xsa268-4.6-2.patch
820e1018f76ef2828b1cbb33e2966b99f6934a80ab55f11749ff847d375d1b02 xsa268-4.7-1.patch
233f7e69e5fb931d2e5cf03f4407f38ff960c039c9eced957df13d3cc37fa6b1 xsa268-4.7-2.patch
4a0c705f0266185b32daf313e686abc340e2fbb1a1644647500fc405bc180913 xsa268-4.9-1.patch
ce16eaab94cd1e64f9c9127b64da7ebb6a7758eb540fecc3bbcc2dbfbcc4d7e2 xsa268-4.9-2.patch
f413d41fadefe0e275c8bff16a2061bb325f3900b7ccf214a9e97fabf3ee1a89 xsa268-4.10-1.patch
531654f82908c1aa7b0fcea818c82c4b53d4750a697db3353cc05e9e91e5d639 xsa268-4.10-2.patch
baeb6b2c28a9cbe929c9cf34398780002fffe12b928df4d1e5951c0a5b51336a xsa268-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJbeo4HAAoJEIP+FMlX6CvZxYMH/R1pB/0Qh+eYJevI0XZCh0TX
TlzPkzvTkif3JUfYtms1rVeXdAUoOaZPrMpzZYFWthOHhHR6Y8tiBWxiRGWuEf0a
OaAYTebIQN4U69AUXGaXdA1p1Nnix5guOgljM1EHD3LGEBtadzdYdFfpKrEv1F7L
f8fwLULljcfwHKI7Yv/CwGdRAt2YrtIFqry916yc0RHk2nQpLvX8V+8YXWla8zGR
1Vkin0WoR31qkcakJGXO8jXD1Wpn4J+2lAyMpAiPpN7d8F7/cEOj7huRuTkYFQha
/sTUc5Dy3kniLptJF+2//dLOjwKQKSKd3c8LJjc8IGPCwfpNpVmLaCiB/93AcWk=
=yh+i
-----END PGP SIGNATURE-----