-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2017-14319 / XSA-234
insufficient grant unmapping checks for x86 PV guests
UPDATES IN VERSION 3
Added metadata file
When removing or replacing a grant mapping, the x86 PV specific path
needs to make sure page table entries remain in sync with other
accounting done. Although the identity of the page frame was
validated correctly, neither the presence of the mapping nor page
writability were taken into account.
A malicious or buggy x86 PV guest could escalate its privileges or
crash the hypervisor.
All Xen versions are affected.
Only x86 PV guests can leverage the vulnerability. x86 HVM guests as
well as ARM guests cannot leverage the vulnerability.
Running only HVM guests will avoid this vulnerability. However, the
vulnerability is exposed to PV stub qemu serving as the device model
for HVM guests. Our default assumption is that an HVM guest has
compromised its PV stub qemu. By extension, it is likely that the
vulnerability is exposed to HVM guests which are served by a PV stub
For PV guests, the vulnerability can be avoided if the guest kernel is
controlled by the host rather than guest administrator, provided that
further steps are taken to prevent the guest administrator from loading
code into the kernel (e.g. by disabling loadable modules etc) or from
using other mechanisms which allow them to run code at kernel privilege.
This issue was discovered by Andrew Cooper of Citrix.
Applying the appropriate attached patch resolves this issue.
xsa234-4.9.patch Xen 4.9.x
xsa234-4.8.patch Xen 4.8.x, Xen 4.7.x
xsa234-4.6.patch Xen 4.6.x
xsa234-4.5.patch Xen 4.5.x
$ sha256sum xsa234*
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Xen-announce mailing list
|Free forum by Nabble||Edit this page|