Bug 1042893 – VUL-0: CVE-2017-10913 CVE-2017-10914: xen: Races in the grant table unmap code (XSA-218)

Bug 1042893 - (CVE-2017-10913) VUL-0: CVE-2017-10913 CVE-2017-10914: xen: Races in the grant table unmap code (XSA-218)

(CVE-2017-10913)
Summary:	VUL-0: CVE-2017-10913 CVE-2017-10914: xen: Races in the grant table unmap cod...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:oes2015:63704 CVSSv2:S...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-06-06 11:47 UTC by Johannes Segitz
Modified:	2020-02-26 12:50 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Johannes Segitz 2017-06-06 11:48:26 UTC

CRD: 2017-06-20 12:00 UTC

Comment 5 Johannes Segitz 2017-06-20 13:46:41 UTC

UPDATES IN VERSION 4
====================

Adjust last patch description and add review tag.

Public release.

ISSUE DESCRIPTION
=================

We have discovered two bugs in the code unmapping grant references.

* When a grant had been mapped twice by a backend domain, and then
unmapped by two concurrent unmap calls, the frontend may be informed
that the page had no further mappings when the first call completed rather
than when the second call completed.

* A race triggerable by an unprivileged guest could cause a grant
maptrack entry for grants to be "freed" twice.  The ultimate effect of
this would be for maptrack entries for a single domain to be re-used.

IMPACT
======

For the first issue, for a short window of time, a malicious backend
could still read and write memory that the frontend thought was its
own again.  Depending on the usage, this could be either an
information leak, or a backend-to-frontend privilege escalation.

The second issue is more difficult to analyze. It can probably cause
reference counts to leak, preventing memory from being freed on domain
destruction (denial-of-service), but information leakage or host
privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Both ARM and x86 are vulnerable.

On x86, systems with either PV or HVM guests are vulnerable.

MITIGATION
==========

None.

CREDITS
=======

This issue was discovered by Jann Horn of Google Project Zero.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

xsa218-unstable/*.patch    xen-unstable
xsa218-4.8/*.patch         Xen 4.8.x
xsa218-4.7/*.patch         Xen 4.7.x
xsa218-4.6/*.patch         Xen 4.6.x
xsa218-4.5/*.patch         Xen 4.5.x

$ sha256sum xsa218*/*
6f5e588edb6d3f0a37b89235e95cdcc7ca73cdff236d86b65e6f608bd15b03ec  xsa218-unstable/0001-gnttab-fix-unmap-pin-accounting-race.patch
5cb85f0aaa19ff343fc51b08addbf37d62352774115acd28eb18a73f67507e21  xsa218-unstable/0002-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
f5f3d27ce2829b3aa5e09b216bf9afcb1dc6b1f9f3b3a0f3ebfe5a68b4948aef  xsa218-unstable/0003-gnttab-correct-maptrack-table-accesses.patch
fafb8773957bbffb21ab43c7a3559efe15f52d234afba5f2ad2739411946c021  xsa218-4.5/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch
4398ad7111421dbf954ede651cb7f9acd83c654c7fa93d54a4e5f9b7b25fe918  xsa218-4.5/0002-gnttab-fix-unmap-pin-accounting-race.patch
9d23946afb96a70c574b8c7ff42ed8b30b72e9a1f751ff617a7578c79645c094  xsa218-4.5/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
27d92c6f4d89de3fd9e9311337823370303c1ef985cce2bd9bea28f00cd6c184  xsa218-4.5/0004-gnttab-correct-maptrack-table-accesses.patch
99ac090d7955a46c6c9c73ca62b64cef6b8f05439961e52278c662f030a36ee2  xsa218-4.6/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch
e0f0839336e055c1422cf0f76c37f6d9cc8474b0140ffef2451dca6697a9f20f  xsa218-4.6/0002-gnttab-fix-unmap-pin-accounting-race.patch
5f6f63211b18bb6ec157353b9e8b844abe3fd767ef1780e6d28731e935559fbc  xsa218-4.6/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
6a786a8c4b916b6f99092598bd4d60381907cd7e728c98a79e999afeec4f45a6  xsa218-4.6/0004-gnttab-correct-maptrack-table-accesses.patch
58354eec5f4f0b87640c702c6e1ce0eeb57dffbd09394a96e88bd6ff42c53e7e  xsa218-4.7/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures.patch
0683d7ffdbe60dc8e1d161adeb0c5465df1840e86353b5cbb96dd204f2dbb526  xsa218-4.7/0002-gnttab-fix-unmap-pin-accounting-race.patch
6bfef9e1653a305e49653c5b81acb57ca41ee8410ea085d49c9bc7e4ccd31e54  xsa218-4.7/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
b4ede29e3a94d9e7992c90b8b7c8d489e071764218b28962b5755a444040e1ae  xsa218-4.7/0004-gnttab-correct-maptrack-table-accesses.patch
c2a1b40e76764333f3ee34dd9bc7d3e34bab91f8b44eaae7aa6f187bbddb358f  xsa218-4.8/0001-gnttab-fix-unmap-pin-accounting-race.patch
a210ff17a0ca1a81f2c98cce84a104ac7dd2f1a72fa3855ca5f3b3d13e95468c  xsa218-4.8/0002-gnttab-Avoid-potential-double-put-of-maptrack-entry.patch
0b8fa3d6a0f3ccb43c8134db2240867d5a850ee0821d4124a1642596b4d6cb5a  xsa218-4.8/0003-gnttab-correct-maptrack-table-accesses.patch

Comment 6 Swamp Workflow Management 2017-06-22 09:17:56 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-06-29.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63700

Comment 7 Swamp Workflow Management 2017-06-29 13:16:08 UTC

SUSE-SU-2017:1715-1: An update that solves three vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1034845,1037243,1042160,1042863,1042882,1042893,1042915,1042931,1042938
CVE References: CVE-2017-8309,CVE-2017-8905,CVE-2017-9330
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-44.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-44.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-44.1

Comment 8 Swamp Workflow Management 2017-06-30 19:11:56 UTC

SUSE-SU-2017:1742-1: An update that solves two vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1027519,1035642,1037243,1042160,1042882,1042893,1042915,1042923,1042924,1042931,1042938
CVE References: CVE-2017-8309,CVE-2017-9330
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.2_06-42.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.2_06-42.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.2_06-42.1

Comment 9 Swamp Workflow Management 2017-07-04 19:13:10 UTC

SUSE-SU-2017:1770-1: An update that solves 6 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1014136,1026236,1027519,1031460,1032148,1034845,1036470,1037243,1042160,1042863,1042882,1042893,1042915,1042924,1042931,1042938,1043074,1043297
CVE References: CVE-2017-8112,CVE-2017-8309,CVE-2017-8905,CVE-2017-9330,CVE-2017-9374,CVE-2017-9503
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_20-60.3
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_20-60.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_20-60.3

Comment 10 Marcus Meissner 2017-07-05 06:35:44 UTC

CVE-2017-10914 

The grant-table feature in Xen through 4.8.x has a race condition leading to a
double free, which allows guest OS users to cause a denial of service (memory
consumption), or possibly obtain sensitive information or gain privileges, aka
XSA-218 bug 2.

CVE-2017-10913

The grant-table feature in Xen through 4.8.x provides false mapping information
in certain cases of concurrent unmap calls, which allows backend attackers to
obtain sensitive information or gain privileges, aka XSA-218 bug 1.

Comment 11 Swamp Workflow Management 2017-07-06 13:17:32 UTC

SUSE-SU-2017:1795-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1014136,1026236,1027519,1031460,1032148,1034845,1036470,1037243,1042160,1042863,1042882,1042893,1042915,1042924,1042931,1042938,1043074,1043297
CVE References: CVE-2017-10911,CVE-2017-10912,CVE-2017-10913,CVE-2017-10914,CVE-2017-10915,CVE-2017-10917,CVE-2017-10918,CVE-2017-10920,CVE-2017-10921,CVE-2017-10922,CVE-2017-8112,CVE-2017-8309,CVE-2017-8905,CVE-2017-9330,CVE-2017-9374,CVE-2017-9503
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_21-22.42.1
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_21-22.42.1

Comment 12 Swamp Workflow Management 2017-07-07 13:11:46 UTC

SUSE-SU-2017:1812-1: An update that solves 17 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1014136,1026236,1027519,1031460,1034845,1036470,1037243,1042160,1042863,1042882,1042893,1042915,1042923,1042924,1042931,1042938,1043074,1043297
CVE References: CVE-2017-10911,CVE-2017-10912,CVE-2017-10913,CVE-2017-10914,CVE-2017-10915,CVE-2017-10916,CVE-2017-10917,CVE-2017-10918,CVE-2017-10920,CVE-2017-10921,CVE-2017-10922,CVE-2017-8112,CVE-2017-8309,CVE-2017-8905,CVE-2017-9330,CVE-2017-9374,CVE-2017-9503
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_12-22.18.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_12-22.18.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_12-22.18.1

Comment 13 Swamp Workflow Management 2017-07-08 13:13:40 UTC

openSUSE-SU-2017:1826-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1035642,1037243,1042160,1042882,1042893,1042915,1042923,1042924,1042931,1042938
CVE References: CVE-2017-10912,CVE-2017-10913,CVE-2017-10914,CVE-2017-10915,CVE-2017-10917,CVE-2017-10918,CVE-2017-10920,CVE-2017-10921,CVE-2017-10922,CVE-2017-8309,CVE-2017-9330
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.2_06-11.9.1

Comment 14 Charles Arnold 2017-07-10 19:47:10 UTC

Not applicable to Xen 4.1 and older (sle11sp2 and older) because of the use
of domain_lock() in do_grant_table_op()

Comment 15 Johannes Segitz 2017-07-11 06:45:54 UTC

(In reply to Charles Arnold from comment #14)
Adjusted tracking, thanks

Comment 16 Charles Arnold 2017-08-11 16:53:42 UTC

Submitted for,

SUSE:SLE-11-SP3:Update
SUSE:SLE-11-SP4:Update
SUSE:SLE-12:Update
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update

Comment 17 Marcus Meissner 2017-10-25 19:30:44 UTC

released