-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-14319 / XSA-234 version 3 insufficient grant unmapping checks for x86 PV guests UPDATES IN VERSION 3 ==================== Added metadata file Public release. ISSUE DESCRIPTION ================= When removing or replacing a grant mapping, the x86 PV specific path needs to make sure page table entries remain in sync with other accounting done. Although the identity of the page frame was validated correctly, neither the presence of the mapping nor page writability were taken into account. IMPACT ====== A malicious or buggy x86 PV guest could escalate its privileges or crash the hypervisor. VULNERABLE SYSTEMS ================== All Xen versions are affected. Only x86 PV guests can leverage the vulnerability. x86 HVM guests as well as ARM guests cannot leverage the vulnerability. MITIGATION ========== Running only HVM guests will avoid this vulnerability. However, the vulnerability is exposed to PV stub qemu serving as the device model for HVM guests. Our default assumption is that an HVM guest has compromised its PV stub qemu. By extension, it is likely that the vulnerability is exposed to HVM guests which are served by a PV stub qemu. For PV guests, the vulnerability can be avoided if the guest kernel is controlled by the host rather than guest administrator, provided that further steps are taken to prevent the guest administrator from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa234.patch xen-unstable xsa234-4.9.patch Xen 4.9.x xsa234-4.8.patch Xen 4.8.x, Xen 4.7.x xsa234-4.6.patch Xen 4.6.x xsa234-4.5.patch Xen 4.5.x $ sha256sum xsa234* efbcc7eac0f010281c5651d191076ac08cc7dd22a1945e88e92ba8a03ae8cc40 xsa234.meta 08ffa79e5c2a77db0b91b3bfcf9fa5c50f174fe842b7418e2e1549d47e0aec4d xsa234.patch 4b74f3c85a98bc6f40c6a448b068bf45e71f7cce887b7cb1481aca0e8746d990 xsa234-4.5.patch 3df4ce173196111c1ff849039ea4927c0b4bd632b08a501fb26f64e31b951fba xsa234-4.6.patch 169e4e0eaa6b27e58ff0f4ce50e8fcc3f81b1e0a10210decf22d1b4cac7501fb xsa234-4.8.patch 213f9d81a4ab785db67b9f579c9e88c9c8586c46b93f466a309060750df2df32 xsa234-4.9.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJZt80HAAoJEIP+FMlX6CvZBCsH/1ghPnUr7fpKSgd7huB5gtGC +QsoqJlmI8U+eWqmS8RlAZ0f5A2Umy7GyYDWqFbvJR2o60AMf7DI9d1QVHQYRSfD JFw+M4ohZ/gZoHykof929QYY15Fhrnt5PoMJ6ztt3ZsBXYkXTJfyvHwVjCD43Nvt fANPcYOpm8NneV9mAviVEjR3u08ultjcfq0Gdks22L5zWKzG38j/rbBtA75mx5eT v/eYXEqrSgXEfI2zJOP/j53D2CwMJnmbbsxgQTvAalSLq1zqNrXFSHEkfyqi+Aix QReMmubpNVbIv1ybtZsE1tRMgBY7VJBJEbT5/PrOUErb9XMoL0wtMwP+kHuVD2w= =qFgP -----END PGP SIGNATURE-----