-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2017-12137 / XSA-227
x86: PV privilege escalation via map_grant_ref
UPDATES IN VERSION 3
When mapping a grant reference, a guest must inform Xen of where it
would like the grant mapped. For PV guests, this is done by nominating
an existing linear address, or an L1 pagetable entry, to be altered.
Neither of these PV paths check for alignment of the passed parameter.
The linear address path suitably truncates the linear address when
calculating the L1 entry to use, but the path which uses a directly
nominated L1 entry performs no checks.
This causes Xen to make an incorrectly-aligned update to a pagetable,
which corrupts both the intended entry and the subsequent entry with
values which are largely guest controlled. If the misaligned value
crosses a page boundary, then an arbitrary other heap page is
A PV guest can elevate its privilege to that of the host.
All versions of Xen are vulnerable.
Only x86 systems are vulnerable.
Any system running untrusted PV guests is vulnerable.
The vulnerability is exposed to PV stub qemu serving as the device model
for HVM guests. Our default assumption is that an HVM guest has
compromised its PV stub qemu. By extension, it is likely that the
vulnerability is exposed to HVM guests which are served by a PV stub
Running only HVM guests, served by a dom0-based qemu, will avoid this
This issue was discovered by Andrew Cooper of Citrix.
Applying the appropriate attached patch resolves this issue.
xsa227.patch xen-unstable, Xen 4.9.x, 4.8.x, 4.7.x
xsa227-4.6.patch Xen 4.6.x
xsa227-4.5.patch Xen 4.5.x
$ sha256sum xsa227*
(The .meta file is a prototype machine-readable file for describing
which patches are to be applied how.)
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Xen-announce mailing list
|Free forum by Nabble||Edit this page|