Information

Advisory XSA-240
Public release 2017-10-12 12:00
Updated 2017-12-11 18:15
Version 6
CVE(s) CVE-2017-15595
Title Unlimited recursion in linear pagetable de-typing

Files

advisory-240.txt (signed advisory file)
xsa240.meta
xsa240-unstable/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
xsa240-unstable/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
xsa240-unstable/0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch
xsa240-unstable/0004-x86-dont-wrongly-trigger-linear-page-table-assertion-2.patch
xsa240-4.5/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
xsa240-4.5/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
xsa240-4.5/0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch
xsa240-4.5/0004-x86-dont-wrongly-trigger-linear-page-table-assertion-2.patch
xsa240-4.6/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
xsa240-4.6/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
xsa240-4.6/0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch
xsa240-4.6/0004-x86-dont-wrongly-trigger-linear-page-table-assertion-2.patch
xsa240-4.7/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
xsa240-4.7/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
xsa240-4.7/0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch
xsa240-4.7/0004-x86-dont-wrongly-trigger-linear-page-table-assertion-2.patch
xsa240-4.8/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
xsa240-4.8/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
xsa240-4.8/0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch
xsa240-4.8/0004-x86-dont-wrongly-trigger-linear-page-table-assertion-2.patch
xsa240-4.9/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
xsa240-4.9/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
xsa240-4.9/0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch
xsa240-4.9/0004-x86-dont-wrongly-trigger-linear-page-table-assertion-2.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2017-15595 / XSA-240
                               version 6

           Unlimited recursion in linear pagetable de-typing

UPDATES IN VERSION 6
====================

Yet another new patch, addressing another issue similar to the one
addressed in v5.

ISSUE DESCRIPTION
=================

x86 PV guests are permitted to set up certain forms of what is often
called "linear page tables", where pagetables contain references to
other pagetables at the same level or higher.  Certain restrictions
apply in order to fit into Xen's page type handling system.  An
important restriction was missed, however: Stacking multiple layers
of page tables of the same level on top of one another is not very
useful, and the tearing down of such an arrangement involves
recursion.  With sufficiently many layers such recursion will result
in a stack overflow, commonly resulting in Xen to crash.

IMPACT
======

A malicious or buggy PV guest may cause the hypervisor to crash,
resulting in Denial of Service (DoS) affecting the entire host.
Privilege escalation and information leaks cannot be excluded.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been checked.

Only x86 systems are affected.  ARM systems are not affected.

Only x86 PV guests can leverage the vulnerability.  x86 HVM guests
cannot leverage the vulnerability.

MITIGATION
==========

Running only HVM guests will avoid this vulnerability.

For PV guests, the vulnerability can be avoided if the guest kernel is
controlled by the host rather than guest administrator, provided that
further steps are taken to prevent the guest administrator from loading
code into the kernel (e.g. by disabling loadable modules etc) or from
using other mechanisms which allow them to run code at kernel privilege.

CREDITS
=======

This issue was discovered by Jann Horn of Google Project Zero.

RESOLUTION
==========

Applying the appropriate attached patch series resolves this issue.
The first patch fixes this known issue.  The second, optional, patch
in each series disables the `linear pagetable` option by default.  It
can be re-enabled by adding "pv-linear-pt=true' on the Xen
command-line.

Note that neither Linux nor MiniOS use linear pagetables; NetBSD and
Novell Netware, however, do use this feature when running in PV mode.

xsa240-unstable/*.patch  xen-unstable
xsa240-4.9/*.patch       Xen 4.9.x
xsa240-4.8/*.patch       Xen 4.8.x
xsa240-4.7/*.patch       Xen 4.7.x
xsa240-4.6/*.patch       Xen 4.6.x
xsa240-4.5/*.patch       Xen 4.5.x

$ sha256sum xsa240* xsa240*/*
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  xsa240.meta
e227126ea204d6049c8bfb694e3d2bcac10382733ca4ece1f0f7dc36c625ac1d  xsa240-unstable/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
c6bb1f47754bf4f57bb9205509c525336ff55da8bcae8ae95415bdf1bba70209  xsa240-unstable/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
549f56c7a3eacd1fc308a46ac5db32f2191d67e7e25aff501fb2ba26cc979feb  xsa240-unstable/0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch
d157826cbbae2f8815ccfb3aa23b936c5f7e7f5fb802cb85ae9e873723ac3d79  xsa240-unstable/0004-x86-dont-wrongly-trigger-linear-page-table-assertion-2.patch
2e8168449f8594c5faa50feb311eaa7e74b38c726853b1cfbaf2fbd4cbbdb476  xsa240-4.5/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
ea95ed56a5f85753a41ca1abbb4abd5ea791d7596c8a9d20ceaa53862ee5ce15  xsa240-4.5/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
76ba9206fbab686cc8c3b8b21945532b7029cc4725ee1cc38666035152ba87ad  xsa240-4.5/0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch
c0851264065f22ea60d54df7a23cda68b24762c032d881bd3d77c5f5f7f65dad  xsa240-4.5/0004-x86-dont-wrongly-trigger-linear-page-table-assertion-2.patch
f7556cc4a13cd4334d79e73861f15dd619dfd6041a3ad89865b358035d2fcff8  xsa240-4.6/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
24ad9f92938c112a6fcf46177d44597c49dc213a3644ce4fd59d4df507b072d3  xsa240-4.6/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
2fe49415a8925dda416fd2594f935ec03c8070bea4a049c1ad242c646fef01e1  xsa240-4.6/0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch
0c78bddbf12cefe9e04001ca31c5b913b3914eb80b63b27d1918a10a24022e74  xsa240-4.6/0004-x86-dont-wrongly-trigger-linear-page-table-assertion-2.patch
5a9b8e0a4e55482826e6cf820ea01fbf6674fecf19b101f4578396e3fa98a8fd  xsa240-4.7/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
acf9744b853c1c6ac071bcf5776d8d9463781bbdf658c2fecc59ee338c094750  xsa240-4.7/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
637ef53ca2d6633104abff47be208d87836042af79082666cb818f0ad53b6452  xsa240-4.7/0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch
7acccf8867d779914e77a83efcb0dbd172e572de8f700b9ac18db1194c37f82f  xsa240-4.7/0004-x86-dont-wrongly-trigger-linear-page-table-assertion-2.patch
c0c624f51fb1bd9e31a2c120343164d545ab6e709ed4bb9e5dd89b5c4c4e49f8  xsa240-4.8/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
7e3c2c4a4d0ee0a29abaa7aceffbb774b1f92aa81dfa4c5d1c5c5156b6bb0a3a  xsa240-4.8/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
f174ee608a7f7f0601ae46edafbf443c90a87632609c1b4145fb0e2e5c4b1b51  xsa240-4.8/0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch
eb74c580bdf0f972833ef058e7db50fe5f524d38d886776c66942712597a52c4  xsa240-4.8/0004-x86-dont-wrongly-trigger-linear-page-table-assertion-2.patch
7769866805e47b7a2109ba1778f263ddfa126bcb0b116612f76dfaca9bf70995  xsa240-4.9/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
1053cb348dc8536cb12b4aca556ddc4c015810f8f0fd21a80dff37433ec082ea  xsa240-4.9/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
4b312010962a294660b2e78a9a5bfd9d537000ceda11e587f88fc49da560c0ff  xsa240-4.9/0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch
9b79fb9b176e34b6f1c1208713537130c7ffe7e73e7b9a80e95b53209587628a  xsa240-4.9/0004-x86-dont-wrongly-trigger-linear-page-table-assertion-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJaLstaAAoJEIP+FMlX6CvZxdMIAIzMc0f+pU0bvefVCMuE7LBN
Xx3bSZ1Yd1V1c9/RmQMsxgv6BQ0hgoiAs9tP0PQ89UJ7CfJfWb221DMXuThhKSmo
1zxH4D0gyUzM01JxaCGjFAUAd30Aa9tZE9M5rgTVSyt3QiLL7IcjY6fks3+HBjMq
2phYB5p7vP9HRZbDbEnAEZRtUzMUUo8QlnjGYvc14wkr/e6quGNsWMKje82y42ha
5mNQ+4XfFI+PPBjAGV12aEHmwmx9PDPnrY59y2rkFoxGIZDjIRLjKS97ULlqq4WU
UbpNgAgrIr2ntfLKQvXKp0oGv+IvxBAMLGzxLWZ0VwKjp6tSUjohnVjq0Twb/74=
=luoB
-----END PGP SIGNATURE-----

Xenproject.org Security Team