Xen Security Advisory 228 (CVE-2017-12136) - grant_table: Race conditions with maptrack free list handling
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2017-12136 / XSA-228
grant_table: Race conditions with maptrack free list handling
UPDATES IN VERSION 3
The grant table code in Xen has a bespoke semi-lockfree allocator for
recording grant mappings ("maptrack" entries). This allocator has a
race which allows the free list to be corrupted.
Specifically: the code for removing an entry from the free list, prior
to use, assumes (without locking) that if inspecting head item shows
that it is not the tail, it will continue to not be the tail of the
list if it is later found to be still the head and removed with
cmpxchg. But the entry might have been removed and replaced, with the
result that it might be the tail by then. (The invariants for the
semi-lockfree data structure were never formally documented.)
Additionally, a stolen entry is put on the free list with an incorrect
link field, which will very likely corrupt the list.
A malicious guest administrator can crash the host, and can probably
escalate their privilege to that of the host.
Xen 4.6 and later are vulnerable.
Xen 4.5 and earlier are not vulnerable.
There is no mitigation for this vulnerability.
This issue was discovered by Ian Jackson of Citrix.
Applying the appropriate attached patch resolves this issue.
(The .meta file is a prototype machine-readable file for describing
which patches are to be applied how.)
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)