Bug 1042931 – VUL-0: CVE-2017-10918: xen: stale P2M mappings due to insufficient error checking (XSA-222)

Bug 1042931 - (CVE-2017-10918) VUL-0: CVE-2017-10918: xen: stale P2M mappings due to insufficient error checking (XSA-222)

(CVE-2017-10918)
Summary:	VUL-0: CVE-2017-10918: xen: stale P2M mappings due to insufficient error chec...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp3:63866 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-06-06 14:29 UTC by Johannes Segitz
Modified:	2021-01-22 09:00 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2017-06-06 14:29:47 UTC

Created attachment 727825 [details]
Upstream patches

Xen Security Advisory XSA-222

         stale P2M mappings due to insufficient error checking

              *** EMBARGOED UNTIL 2017-06-20 12:00 UTC ***

ISSUE DESCRIPTION
=================

Certain actions require removing pages from a guest's P2M
(Physical-to-Machine) mapping.  When large pages are in use to map
guest pages in the 2nd-stage page tables, such a removal operation may
incur a memory allocation (to replace a large mapping with individual
smaller ones).  If this allocation fails, these errors are ignored by
the callers, which would then continue and (for example) free the
referenced page for reuse.  This leaves the guest with a mapping to a
page it shouldn't have access to.

The allocation involved comes from a separate pool of memory created
when the domain is created; under normal operating conditions it never
fails, but a malicious guest may be able to engineer situations where
this pool is exhausted.

IMPACT
======

A malicious guest may be able to access memory it doesn't own,
potentially allowing privilege escalation, host crashes, or
information leakage.

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2 onwards are vulnerable.  Older versions
have not been inspected.

Both x86 and ARM systems are vulnerable.

On x86 systems, only HVM guests can leverage the vulnerability.

MITIGATION
==========

On x86, specifying "hap_1gb=0 hap_2mb=0" on the hypervisor command
line will avoid the vulnerability.

Alternatively, running all x86 HVM guests in shadow mode will also
avoid this vulnerability.  (For example, by specifying "hap=0" in the
xl domain configuration file.)

There is no known mitigation on ARM systems.

RESOLUTION
==========

Applying the appropriate pair of attached patches resolves this issue.

xsa222-[12].patch                        xen-unstable
xsa222-1.patch, xsa222-2-4.8.patch       Xen 4.8.x
xsa222-[12]-4.7.patch                    Xen 4.7.x
xsa222-[12]-4.6.patch                    Xen 4.6.x
xsa222-1-4.6.patch, xsa222-2-4.5.patch   Xen 4.5.x

$ sha256sum xsa222*
8f3c7cf2fc2e053e2aa585bb88c93f07f9dfa8e6e9f5bebdc9a66dba84f0f772  xsa222-1.patch
bc9ae013319b2dc5983828da7e96d273230f65e1414bf6f34c9a0922f5fe3c6b  xsa222-1-4.6.patch
410369f5fac0b7ad52502eef91e683cdf0cdc587915903c7b33ca4042e478e7c  xsa222-1-4.7.patch
c8572edda24cf949d719b0559e4e2bb6a720d9df7853267b63b4fe6456dcd3dc  xsa222-2.patch
f49cdfdc87606a555f5cda19e60d684d8dab9cb9e4a614c599d1ceaf4835a7b3  xsa222-2-4.5.patch
162ccd48c091552268c08005fd1ffe803cfbad9a2c5045f6ce1e80f534b754d3  xsa222-2-4.6.patch
529d7e96e14ed8fc443e09d679e1b4889c122dab59517a90538bed7ff9d7fbda  xsa222-2-4.7.patch
e92af2f5bf96ca463ecb650040cf97c41e2898c73b65ce4bb8d408c98fd8818e  xsa222-2-4.8.patch

Comment 1 Johannes Segitz 2017-06-06 14:30:30 UTC

CRD: 2017-06-20 12:00 UTC

Comment 2 Charles Arnold 2017-06-06 15:28:03 UTC

Johannes,
The patch/tarball attached to this bug appears to be for xsa220, not xsa222

Comment 4 Johannes Segitz 2017-06-20 13:19:55 UTC

public

Comment 5 Swamp Workflow Management 2017-06-29 13:16:31 UTC

SUSE-SU-2017:1715-1: An update that solves three vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1034845,1037243,1042160,1042863,1042882,1042893,1042915,1042931,1042938
CVE References: CVE-2017-8309,CVE-2017-8905,CVE-2017-9330
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-44.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-44.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-44.1

Comment 6 Swamp Workflow Management 2017-06-30 19:12:30 UTC

SUSE-SU-2017:1742-1: An update that solves two vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1027519,1035642,1037243,1042160,1042882,1042893,1042915,1042923,1042924,1042931,1042938
CVE References: CVE-2017-8309,CVE-2017-9330
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.2_06-42.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.2_06-42.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.2_06-42.1

Comment 7 Swamp Workflow Management 2017-07-04 19:13:32 UTC

SUSE-SU-2017:1770-1: An update that solves 6 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1014136,1026236,1027519,1031460,1032148,1034845,1036470,1037243,1042160,1042863,1042882,1042893,1042915,1042924,1042931,1042938,1043074,1043297
CVE References: CVE-2017-8112,CVE-2017-8309,CVE-2017-8905,CVE-2017-9330,CVE-2017-9374,CVE-2017-9503
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_20-60.3
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_20-60.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_20-60.3

Comment 8 Swamp Workflow Management 2017-07-06 13:17:59 UTC

SUSE-SU-2017:1795-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1014136,1026236,1027519,1031460,1032148,1034845,1036470,1037243,1042160,1042863,1042882,1042893,1042915,1042924,1042931,1042938,1043074,1043297
CVE References: CVE-2017-10911,CVE-2017-10912,CVE-2017-10913,CVE-2017-10914,CVE-2017-10915,CVE-2017-10917,CVE-2017-10918,CVE-2017-10920,CVE-2017-10921,CVE-2017-10922,CVE-2017-8112,CVE-2017-8309,CVE-2017-8905,CVE-2017-9330,CVE-2017-9374,CVE-2017-9503
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_21-22.42.1
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_21-22.42.1

Comment 9 Swamp Workflow Management 2017-07-07 13:12:24 UTC

SUSE-SU-2017:1812-1: An update that solves 17 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1014136,1026236,1027519,1031460,1034845,1036470,1037243,1042160,1042863,1042882,1042893,1042915,1042923,1042924,1042931,1042938,1043074,1043297
CVE References: CVE-2017-10911,CVE-2017-10912,CVE-2017-10913,CVE-2017-10914,CVE-2017-10915,CVE-2017-10916,CVE-2017-10917,CVE-2017-10918,CVE-2017-10920,CVE-2017-10921,CVE-2017-10922,CVE-2017-8112,CVE-2017-8309,CVE-2017-8905,CVE-2017-9330,CVE-2017-9374,CVE-2017-9503
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_12-22.18.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_12-22.18.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_12-22.18.1

Comment 10 Swamp Workflow Management 2017-07-08 13:14:12 UTC

openSUSE-SU-2017:1826-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1035642,1037243,1042160,1042882,1042893,1042915,1042923,1042924,1042931,1042938
CVE References: CVE-2017-10912,CVE-2017-10913,CVE-2017-10914,CVE-2017-10915,CVE-2017-10917,CVE-2017-10918,CVE-2017-10920,CVE-2017-10921,CVE-2017-10922,CVE-2017-8309,CVE-2017-9330
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.2_06-11.9.1

Comment 11 Swamp Workflow Management 2017-08-11 09:43:57 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-08-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63827

Comment 12 Charles Arnold 2017-08-11 16:45:19 UTC

Submitted for,

SUSE:SLE-10-SP3:Update:Test
SUSE:SLE-11-SP1:Update:Teradata
SUSE:SLE-11-SP3:Update
SUSE:SLE-11-SP4:Update
SUSE:SLE-12:Update
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update

Comment 13 Marcus Meissner 2017-10-25 19:39:00 UTC

released