-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-10913,CVE-2017-10914 / XSA-218 version 5 Races in the grant table unmap code UPDATES IN VERSION 5 ==================== CVEs assigned. ISSUE DESCRIPTION ================= We have discovered two bugs in the code unmapping grant references. * When a grant had been mapped twice by a backend domain, and then unmapped by two concurrent unmap calls, the frontend may be informed that the page had no further mappings when the first call completed rather than when the second call completed. (CVE-2017-10913.) * A race triggerable by an unprivileged guest could cause a grant maptrack entry for grants to be "freed" twice. The ultimate effect of this would be for maptrack entries for a single domain to be re-used. (CVE-2017-10914.) IMPACT ====== For the first issue, for a short window of time, a malicious backend could still read and write memory that the frontend thought was its own again. Depending on the usage, this could be either an information leak, or a backend-to-frontend privilege escalation. The second issue is more difficult to analyze. It can probably cause reference counts to leak, preventing memory from being freed on domain destruction (denial-of-service), but information leakage or host privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Both ARM and x86 are vulnerable. On x86, systems with either PV or HVM guests are vulnerable. MITIGATION ========== None. CREDITS ======= This issue was discovered by Jann Horn of Google Project Zero. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. xsa218-unstable/*.patch xen-unstable xsa218-4.8/*.patch Xen 4.8.x xsa218-4.7/*.patch Xen 4.7.x xsa218-4.6/*.patch Xen 4.6.x xsa218-4.5/*.patch Xen 4.5.x $ sha256sum xsa218*/* 6f5e588edb6d3f0a37b89235e95cdcc7ca73cdff236d86b65e6f608bd15b03ec xsa218-unstable/0001-gnttab-fix-unmap-pin-accounting-race.patch 5cb85f0aaa19ff343fc51b08addbf37d62352774115acd28eb18a73f67507e21 xsa218-unstable/0002-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch f5f3d27ce2829b3aa5e09b216bf9afcb1dc6b1f9f3b3a0f3ebfe5a68b4948aef xsa218-unstable/0003-gnttab-correct-maptrack-table-accesses.patch fafb8773957bbffb21ab43c7a3559efe15f52d234afba5f2ad2739411946c021 xsa218-4.5/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch 4398ad7111421dbf954ede651cb7f9acd83c654c7fa93d54a4e5f9b7b25fe918 xsa218-4.5/0002-gnttab-fix-unmap-pin-accounting-race.patch 9d23946afb96a70c574b8c7ff42ed8b30b72e9a1f751ff617a7578c79645c094 xsa218-4.5/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch 27d92c6f4d89de3fd9e9311337823370303c1ef985cce2bd9bea28f00cd6c184 xsa218-4.5/0004-gnttab-correct-maptrack-table-accesses.patch 99ac090d7955a46c6c9c73ca62b64cef6b8f05439961e52278c662f030a36ee2 xsa218-4.6/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch e0f0839336e055c1422cf0f76c37f6d9cc8474b0140ffef2451dca6697a9f20f xsa218-4.6/0002-gnttab-fix-unmap-pin-accounting-race.patch 5f6f63211b18bb6ec157353b9e8b844abe3fd767ef1780e6d28731e935559fbc xsa218-4.6/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch 6a786a8c4b916b6f99092598bd4d60381907cd7e728c98a79e999afeec4f45a6 xsa218-4.6/0004-gnttab-correct-maptrack-table-accesses.patch 58354eec5f4f0b87640c702c6e1ce0eeb57dffbd09394a96e88bd6ff42c53e7e xsa218-4.7/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch 0683d7ffdbe60dc8e1d161adeb0c5465df1840e86353b5cbb96dd204f2dbb526 xsa218-4.7/0002-gnttab-fix-unmap-pin-accounting-race.patch 6bfef9e1653a305e49653c5b81acb57ca41ee8410ea085d49c9bc7e4ccd31e54 xsa218-4.7/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch b4ede29e3a94d9e7992c90b8b7c8d489e071764218b28962b5755a444040e1ae xsa218-4.7/0004-gnttab-correct-maptrack-table-accesses.patch c2a1b40e76764333f3ee34dd9bc7d3e34bab91f8b44eaae7aa6f187bbddb358f xsa218-4.8/0001-gnttab-fix-unmap-pin-accounting-race.patch a210ff17a0ca1a81f2c98cce84a104ac7dd2f1a72fa3855ca5f3b3d13e95468c xsa218-4.8/0002-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch 0b8fa3d6a0f3ccb43c8134db2240867d5a850ee0821d4124a1642596b4d6cb5a xsa218-4.8/0003-gnttab-correct-maptrack-table-accesses.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJZX5ImAAoJEIP+FMlX6CvZEEwH/0DYTbE4NzaGh63A8lntpzpL ArGjAFec+JrW6dnoAUlPxDHzgCb1M/UuHYuP2myOD1BVgsBpEKNi6N66CL8gK9x1 ao245PvwknnFRNn0APia7lQXR+6gPylPqTNYUDRsZ4C1TB9fLQrii5Oztx0Mf/CM l2/WnIU/QvGrbO9rqcs6ks8pNu/Q/WHPrE0mOrE8s//sv4WY2VNB3mk5leDPmIb9 dJ4XSvTnQBIc2uwzW4pT7xU5I2eM39OD8NgF0EsQ2Fj4gQsopHyB1crsJJdpq+Ne CwfS1aXdNkHBvLv5PWvwG5qS+xFxggWiOkGhjH/nbn+nP25mG6i7jF8fHKujWVM= =6b7p -----END PGP SIGNATURE-----