Bug 1042915 – VUL-0: CVE-2017-10915: xen: x86: insufficient reference counts during shadow emulation (XSA-219)

Bug 1042915 - (CVE-2017-10915) VUL-0: CVE-2017-10915: xen: x86: insufficient reference counts during shadow emulation (XSA-219)

(CVE-2017-10915)
Summary:	VUL-0: CVE-2017-10915: xen: x86: insufficient reference counts during shadow ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2017-10915:6.2:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-06-06 14:01 UTC by Johannes Segitz
Modified:	2020-06-13 17:02 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Johannes Segitz 2017-06-06 14:02:57 UTC

CRD: 2017-06-20 12:00 UTC

Comment 3 Johannes Segitz 2017-06-20 13:11:05 UTC

UPDATES IN VERSION 2
====================

Public release.

Add caveat about exploitability by a single HVM guest, to Impact.

ISSUE DESCRIPTION
=================

When using shadow paging, writes to guest pagetables must be trapped and
emulated, so the shadows can be suitably adjusted as well.

When emulating the write, Xen maps the guests pagetable(s) to make the final
adjustment and leave the guest's view of its state consistent.

However, when mapping the frame, Xen drops the page reference before
performing the write.  This is a race window where the underlying frame can
change ownership.

One possible attack scenario is for the frame to change ownership and to be
inserted into a PV guest's pagetables.  At that point, the emulated write will
be an unaudited modification to the PV pagetables whose value is under guest
control.

IMPACT
======

A malicious pair of guests may be able to elevate their privilege to that of
Xen.

We have not ruled out the possibility that a single malicious HVM
guest may be able to elevate their privilege to that of Xen.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only x86 systems are affected.  ARM systems are not vulnerable.

HVM guests using shadow mode paging can exploit this vulnerability.  HVM guests
using Hardware Assisted Paging (HAP) cannot exploit this vulnerability.

To discover whether your HVM guests are using HAP, or shadow page
tables: request debug key `q' (from the Xen console, or with
`xl debug-keys q').  This will print (to the console, and visible in
`xl dmesg'), debug information for every domain, containing something
like this:

  (XEN) General information for domain 2:
  (XEN)     refcnt=1 dying=2 pause_count=2
  (XEN)     nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400
  (XEN)     handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000
  (XEN)     paging assistance: hap refcounts translate external
                               ^^^
The presence of `hap' here indicates that the host is not
vulnerable to this domain.  For an HVM domain the presence of `shadow'
indicates that the domain can exploit the vulnerability.

Xen 4.6 and later have the option to compile-out shadow paging support.  (The
default is to compile with shadow paging support).  If Xen is built without
shadow support, it is not vulnerable.

Exploiting this race condition requires coordination between an x86 HVM guest
using shadow paging, and a PV guest.

Running only HVM guests avoids the vulnerability, unless stub device
models are in use (since stub device models are PV domains, each
controlled by the corresponding guest).

Running only PV guests avoids the vulnerability.

MITIGATION
==========

Where the HVM guest is explicitly configured to use shadow paging (eg
via the `hap=0' xl domain configuration file parameter), changing to
HAP (eg by setting `hap=1') will avoid exposing the vulnerability to
those guests.  HAP is the default (in upstream Xen), where the
hardware supports it; so this mitigation is only applicable if HAP has
been disabled by configuration.

(This mitigation is not applicable to PV guests.)

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa219.patch           xen-unstable
xsa219-4.8.patch       Xen 4.8, 4.7
xsa219-4.6.patch       Xen 4.6
xsa219-4.5.patch       Xen 4.5, 4.4

$ sha256sum xsa219*
d06759d11dad3b128e65ade9e6afc1c728b65457cc32c34f46690f959c48644f  xsa219.patch
0dd27ad66f964ba163dbc72e3a074d171b0e1edf9b322d811feb7f5c1deb4437  xsa219-4.5.patch
d5fdd9d75dbad4a2315f48f8aec5dd3a10b92307320b5c141e2c1e69e422510c  xsa219-4.6.patch
a2023599abbc3b8f46cd430bec154401ef166493fcb5787f2f6fb9802b12f9b4  xsa219-4.8.patch

Comment 4 Swamp Workflow Management 2017-06-29 13:16:20 UTC

SUSE-SU-2017:1715-1: An update that solves three vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1034845,1037243,1042160,1042863,1042882,1042893,1042915,1042931,1042938
CVE References: CVE-2017-8309,CVE-2017-8905,CVE-2017-9330
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-44.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-44.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-44.1

Comment 5 Swamp Workflow Management 2017-06-30 19:12:04 UTC

SUSE-SU-2017:1742-1: An update that solves two vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1027519,1035642,1037243,1042160,1042882,1042893,1042915,1042923,1042924,1042931,1042938
CVE References: CVE-2017-8309,CVE-2017-9330
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.2_06-42.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.2_06-42.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.2_06-42.1

Comment 6 Swamp Workflow Management 2017-07-04 19:13:17 UTC

SUSE-SU-2017:1770-1: An update that solves 6 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1014136,1026236,1027519,1031460,1032148,1034845,1036470,1037243,1042160,1042863,1042882,1042893,1042915,1042924,1042931,1042938,1043074,1043297
CVE References: CVE-2017-8112,CVE-2017-8309,CVE-2017-8905,CVE-2017-9330,CVE-2017-9374,CVE-2017-9503
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_20-60.3
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_20-60.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_20-60.3

Comment 7 Swamp Workflow Management 2017-07-06 13:17:41 UTC

SUSE-SU-2017:1795-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1014136,1026236,1027519,1031460,1032148,1034845,1036470,1037243,1042160,1042863,1042882,1042893,1042915,1042924,1042931,1042938,1043074,1043297
CVE References: CVE-2017-10911,CVE-2017-10912,CVE-2017-10913,CVE-2017-10914,CVE-2017-10915,CVE-2017-10917,CVE-2017-10918,CVE-2017-10920,CVE-2017-10921,CVE-2017-10922,CVE-2017-8112,CVE-2017-8309,CVE-2017-8905,CVE-2017-9330,CVE-2017-9374,CVE-2017-9503
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_21-22.42.1
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_21-22.42.1

Comment 8 Swamp Workflow Management 2017-07-07 13:11:57 UTC

SUSE-SU-2017:1812-1: An update that solves 17 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1014136,1026236,1027519,1031460,1034845,1036470,1037243,1042160,1042863,1042882,1042893,1042915,1042923,1042924,1042931,1042938,1043074,1043297
CVE References: CVE-2017-10911,CVE-2017-10912,CVE-2017-10913,CVE-2017-10914,CVE-2017-10915,CVE-2017-10916,CVE-2017-10917,CVE-2017-10918,CVE-2017-10920,CVE-2017-10921,CVE-2017-10922,CVE-2017-8112,CVE-2017-8309,CVE-2017-8905,CVE-2017-9330,CVE-2017-9374,CVE-2017-9503
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_12-22.18.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_12-22.18.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_12-22.18.1

Comment 9 Swamp Workflow Management 2017-07-08 13:13:48 UTC

openSUSE-SU-2017:1826-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1035642,1037243,1042160,1042882,1042893,1042915,1042923,1042924,1042931,1042938
CVE References: CVE-2017-10912,CVE-2017-10913,CVE-2017-10914,CVE-2017-10915,CVE-2017-10917,CVE-2017-10918,CVE-2017-10920,CVE-2017-10921,CVE-2017-10922,CVE-2017-8309,CVE-2017-9330
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.2_06-11.9.1

Comment 10 Charles Arnold 2017-08-11 16:54:28 UTC

Submitted for,

SUSE:SLE-11-SP3:Update
SUSE:SLE-11-SP4:Update
SUSE:SLE-12:Update
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update

Comment 11 Marcus Meissner 2017-10-25 19:31:37 UTC

released