-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2020-11743 / XSA-316
Bad error path in GNTTABOP_map_grant
UPDATES IN VERSION 3
Grant table operations are expected to return 0 for success, and a
negative number for errors. Some misplaced brackets cause one error
path to return 1 instead of a negative value.
The grant table code in Linux treats this condition as success, and
proceeds with incorrectly initialised state.
A buggy or malicious guest can construct its grant table in such a way
that, when a backend domain tries to map a grant, it hits the incorrect
This will crash a Linux based dom0 or backend domain.
Systems running any version of Xen with the XSA-295 fixes are
vulnerable. Systems which have not yet taken the XSA-295 fixes are not
Systems running a Linux based dom0 or driver domain are vulnerable.
Systems running a FreeBSD or NetBSD based dom0 or driver domain are not
impacted, as they both treat any nonzero value as a failure.
The vulnerability of other systems will depend on how they behave when
getting an unexpected positive number from the GNTTABOP_map_grant
Applying the Linux patches alone is sufficient to mitigate the issue.
This might be a preferred route for downstreams who support livepatching
Linux but not Xen.
This issue was discovered by Ross Lagerwall of Citrix.
Applying the appropriate Xen patch will resolve this issue.
Additionally, a Linux patch is provided to make Linux's behaviour more
robust to unexpected values.
We recommend taking both patches if at all possible.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa316/xsa316-xen.patch Xen 4.9 - xen-unstable
$ sha256sum xsa316*/*
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
|Free forum by Nabble||Edit this page|