-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2017-12135 / XSA-226
multiple problems with transitive grants
UPDATES IN VERSION 5
1) Code to handle copy operations on transitive grants has built in
retry logic, involving a function reinvoking itself with unchanged
parameters. Such use assumes that the compiler would also translate
this to a so called "tail call" when generating machine code.
Empirically, this is not commonly the case, allowing for
theoretically unbounded nesting of such function calls.
2) The reference counting and locking discipline for transitive grants
is broken. Concurrent use of the transitive grant can leak
references on the transitively-referenced grant.
A malicious or buggy guest may be able to crash Xen. Privilege
escalation and information leaks cannot be ruled out. A malicious or
buggy guest can leak references on grants it has been given, amounting
to a DoS against the grantee.
All versions of Xen are vulnerable.
There is no known mitigation.
This issue was discovered by Jan Beulich of SUSE.
The security team would also like to thank Amazon for helping to identify that
the problems with transitive grants were deeper than originally believed.
Applying the appropriate attached patch works around this issue by disabling
transitive grants by default.
xsa226.patch xen-unstable, Xen 4.9.x, Xen 4.8.x
xsa226-4.7.patch Xen 4.7.x
xsa226-4.6.patch Xen 4.6.x
xsa226-4.5.patch Xen 4.5.x
$ sha256sum xsa226*
(The .meta file is a prototype machine-readable file for describing
which patches are to be applied how.)
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Xen-users mailing list
|Free forum by Nabble||Edit this page|