Information

AdvisoryXSA-236
Public release 2017-10-24 12:00
Updated 2017-10-24 13:55
Version 3
CVE(s) CVE-2017-15597
Title pin count / page reference race in grant table code

Files

advisory-236.txt (signed advisory file)
xsa236.meta
xsa236.patch
xsa236-4.5.patch
xsa236-4.9.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2017-15597 / XSA-236
                               version 3

          pin count / page reference race in grant table code

UPDATES IN VERSION 3
====================

We now once again think that only Xen 4.2 and newer are vulnerable.

Fix grammar typo.

Public release.

ISSUE DESCRIPTION
=================

Grant copying code made an implication that any grant pin would be
accompanied by a suitable page reference.  Other portions of code,
however, did not match up with that assumption.  When such a grant
copy operation is being done on a grant of a dying domain, the
assumption turns out wrong.

IMPACT
======

A malicious guest administrator can cause hypervisor memory
corruption, most likely resulting in host crash and a Denial of
Service.  Privilege escalation and information leaks cannot be ruled
out.

VULNERABLE SYSTEMS
==================

Xen versions from 4.2 onwards are vulnerable.  Xen versions 4.1 and
earlier are not vulnerable.

Both x86 and ARM are vulnerable, and on x86 both PV and HVM guests can
trigger the vulnerability.

MITIGATION
==========

Running only guests without para-virtual drivers, and known not to
issue grant table operations can avoid the vulnerability.

CREDITS
=======

This issue was discovered by Pawel Wieczorkiewicz of Amazon.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa236.patch           xen-unstable
xsa236-4.9.patch       Xen 4.9.x, Xen 4.8.x, Xen 4.7.x, Xen 4.6.x
xsa236-4.5.patch       Xen 4.5.x

$ sha256sum xsa236*
2f7736c43b6da7d983cf3edbc10024c4cba9d6d3e5b2b758a07de726a804617d  xsa236.meta
f06f01fb4ffcfc7938a2fc6ab73559ebbaac2d448bd36ca538bb07ba510eeb4a  xsa236.patch
c98a4b50d021414626cd68002643e9aa0cc6067b98cd5dd995c0140a7933d1ea  xsa236-4.5.patch
b6fe5604af26e93184f30127ebbb644f127ecc7116b093c161ca3044b44d2fe9  xsa236-4.9.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJZ70ZiAAoJEIP+FMlX6CvZlBgH/0cwYrP3/zvc3dNJRtpxyn1J
BkigYP8JBIYW85M7KdZDFBhgXIpuw6x45XZ4qfq6rrz3GOp5oZgZVFIoggHZBzRe
eVCIpjOAXInM7ThsE6pV1Qr/JKe8V6RJumXEgqr5zznWpGmcFChWmobA+BBq64P6
87ALWjXBcuqOyjJnJQwEjk+kHJMnIpocVZk6NqcDeoHoJvRh/Zk4YYc78qm4Lucw
d0yHq5azA9bgt5iJgxUvF74B4r8JxTLmA8sn7Kx280UJGEAkqM7jj1QVQ6sb8fgO
q6RSzBVnuVqLh4E1Dji9KaxcRRVnbrp2FFpBUUWHAVVO4O0GYlu5NxERnnye9v0=
=zI77
-----END PGP SIGNATURE-----


Xenproject.org Security Team