Xen Security Advisory 218 (CVE-2017-10913, CVE-2017-10914) - Races in the grant table unmap code

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Xen Security Advisory 218 (CVE-2017-10913, CVE-2017-10914) - Races in the grant table unmap code

Xen.org security team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

    Xen Security Advisory CVE-2017-10913,CVE-2017-10914 / XSA-218
                              version 5

                 Races in the grant table unmap code

UPDATES IN VERSION 5
====================

CVEs assigned.

ISSUE DESCRIPTION
=================

We have discovered two bugs in the code unmapping grant references.

* When a grant had been mapped twice by a backend domain, and then
unmapped by two concurrent unmap calls, the frontend may be informed
that the page had no further mappings when the first call completed rather
than when the second call completed.  (CVE-2017-10913.)

* A race triggerable by an unprivileged guest could cause a grant
maptrack entry for grants to be "freed" twice.  The ultimate effect of
this would be for maptrack entries for a single domain to be re-used.
(CVE-2017-10914.)

IMPACT
======

For the first issue, for a short window of time, a malicious backend
could still read and write memory that the frontend thought was its
own again.  Depending on the usage, this could be either an
information leak, or a backend-to-frontend privilege escalation.

The second issue is more difficult to analyze. It can probably cause
reference counts to leak, preventing memory from being freed on domain
destruction (denial-of-service), but information leakage or host
privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Both ARM and x86 are vulnerable.

On x86, systems with either PV or HVM guests are vulnerable.

MITIGATION
==========

None.

CREDITS
=======

This issue was discovered by Jann Horn of Google Project Zero.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

xsa218-unstable/*.patch    xen-unstable
xsa218-4.8/*.patch         Xen 4.8.x
xsa218-4.7/*.patch         Xen 4.7.x
xsa218-4.6/*.patch         Xen 4.6.x
xsa218-4.5/*.patch         Xen 4.5.x

$ sha256sum xsa218*/*
6f5e588edb6d3f0a37b89235e95cdcc7ca73cdff236d86b65e6f608bd15b03ec  xsa218-unstable/0001-gnttab-fix-unmap-pin-accounting-race.patch
5cb85f0aaa19ff343fc51b08addbf37d62352774115acd28eb18a73f67507e21  xsa218-unstable/0002-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
f5f3d27ce2829b3aa5e09b216bf9afcb1dc6b1f9f3b3a0f3ebfe5a68b4948aef  xsa218-unstable/0003-gnttab-correct-maptrack-table-accesses.patch
fafb8773957bbffb21ab43c7a3559efe15f52d234afba5f2ad2739411946c021  xsa218-4.5/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch
4398ad7111421dbf954ede651cb7f9acd83c654c7fa93d54a4e5f9b7b25fe918  xsa218-4.5/0002-gnttab-fix-unmap-pin-accounting-race.patch
9d23946afb96a70c574b8c7ff42ed8b30b72e9a1f751ff617a7578c79645c094  xsa218-4.5/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
27d92c6f4d89de3fd9e9311337823370303c1ef985cce2bd9bea28f00cd6c184  xsa218-4.5/0004-gnttab-correct-maptrack-table-accesses.patch
99ac090d7955a46c6c9c73ca62b64cef6b8f05439961e52278c662f030a36ee2  xsa218-4.6/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch
e0f0839336e055c1422cf0f76c37f6d9cc8474b0140ffef2451dca6697a9f20f  xsa218-4.6/0002-gnttab-fix-unmap-pin-accounting-race.patch
5f6f63211b18bb6ec157353b9e8b844abe3fd767ef1780e6d28731e935559fbc  xsa218-4.6/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
6a786a8c4b916b6f99092598bd4d60381907cd7e728c98a79e999afeec4f45a6  xsa218-4.6/0004-gnttab-correct-maptrack-table-accesses.patch
58354eec5f4f0b87640c702c6e1ce0eeb57dffbd09394a96e88bd6ff42c53e7e  xsa218-4.7/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch
0683d7ffdbe60dc8e1d161adeb0c5465df1840e86353b5cbb96dd204f2dbb526  xsa218-4.7/0002-gnttab-fix-unmap-pin-accounting-race.patch
6bfef9e1653a305e49653c5b81acb57ca41ee8410ea085d49c9bc7e4ccd31e54  xsa218-4.7/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
b4ede29e3a94d9e7992c90b8b7c8d489e071764218b28962b5755a444040e1ae  xsa218-4.7/0004-gnttab-correct-maptrack-table-accesses.patch
c2a1b40e76764333f3ee34dd9bc7d3e34bab91f8b44eaae7aa6f187bbddb358f  xsa218-4.8/0001-gnttab-fix-unmap-pin-accounting-race.patch
a210ff17a0ca1a81f2c98cce84a104ac7dd2f1a72fa3855ca5f3b3d13e95468c  xsa218-4.8/0002-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
0b8fa3d6a0f3ccb43c8134db2240867d5a850ee0821d4124a1642596b4d6cb5a  xsa218-4.8/0003-gnttab-correct-maptrack-table-accesses.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJZX5ImAAoJEIP+FMlX6CvZEEwH/0DYTbE4NzaGh63A8lntpzpL
ArGjAFec+JrW6dnoAUlPxDHzgCb1M/UuHYuP2myOD1BVgsBpEKNi6N66CL8gK9x1
ao245PvwknnFRNn0APia7lQXR+6gPylPqTNYUDRsZ4C1TB9fLQrii5Oztx0Mf/CM
l2/WnIU/QvGrbO9rqcs6ks8pNu/Q/WHPrE0mOrE8s//sv4WY2VNB3mk5leDPmIb9
dJ4XSvTnQBIc2uwzW4pT7xU5I2eM39OD8NgF0EsQ2Fj4gQsopHyB1crsJJdpq+Ne
CwfS1aXdNkHBvLv5PWvwG5qS+xFxggWiOkGhjH/nbn+nP25mG6i7jF8fHKujWVM=
=6b7p
-----END PGP SIGNATURE-----

_______________________________________________
Xen-announce mailing list
[hidden email]
https://lists.xen.org/xen-announce

xsa218-unstable/0001-gnttab-fix-unmap-pin-accounting-race.patch (5K) Download Attachment
xsa218-unstable/0002-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch (10K) Download Attachment
xsa218-unstable/0003-gnttab-correct-maptrack-table-accesses.patch (3K) Download Attachment
xsa218-4.5/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch (3K) Download Attachment
xsa218-4.5/0002-gnttab-fix-unmap-pin-accounting-race.patch (5K) Download Attachment
xsa218-4.5/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch (9K) Download Attachment
xsa218-4.5/0004-gnttab-correct-maptrack-table-accesses.patch (1K) Download Attachment
xsa218-4.6/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch (3K) Download Attachment
xsa218-4.6/0002-gnttab-fix-unmap-pin-accounting-race.patch (5K) Download Attachment
xsa218-4.6/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch (10K) Download Attachment
xsa218-4.6/0004-gnttab-correct-maptrack-table-accesses.patch (3K) Download Attachment
xsa218-4.7/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch (3K) Download Attachment
xsa218-4.7/0002-gnttab-fix-unmap-pin-accounting-race.patch (5K) Download Attachment
xsa218-4.7/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch (10K) Download Attachment
xsa218-4.7/0004-gnttab-correct-maptrack-table-accesses.patch (3K) Download Attachment
xsa218-4.8/0001-gnttab-fix-unmap-pin-accounting-race.patch (5K) Download Attachment
xsa218-4.8/0002-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch (10K) Download Attachment
xsa218-4.8/0003-gnttab-correct-maptrack-table-accesses.patch (3K) Download Attachment