Bug 1042938 – VUL-0: CVE-2017-10920 CVE-2017-10921 CVE-2017-10922 : xen: grant table operations mishandle reference counts (XSA-224)

Bug 1042938 - (CVE-2017-10920) VUL-0: CVE-2017-10920 CVE-2017-10921 CVE-2017-10922 : xen: grant table operations mishandle reference counts (XSA-224)

(CVE-2017-10920)
Summary:	VUL-0: CVE-2017-10920 CVE-2017-10921 CVE-2017-10922 : xen: grant table operat...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv3:RedHat:CVE-2017-10921:8.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-06-06 14:41 UTC by Johannes Segitz
Modified:	2021-01-21 18:18 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2017-06-06 14:41:56 UTC

Created attachment 727830 [details]
Upstream patches

Xen Security Advisory XSA-224

           grant table operations mishandle reference counts

              *** EMBARGOED UNTIL 2017-06-20 12:00 UTC ***

ISSUE DESCRIPTION
=================

We have discovered a number of bugs in the code mapping and unmapping
grant references.

* If a grant is mapped with both the GNTMAP_device_map and
GNTMAP_host_map flags, but unmapped only with host_map, the device_map
portion remains but the page reference counts are lowered as though it
had been removed. This bug can be leveraged cause a page's reference
counts and type counts to fall to zero while retaining writeable
mappings to the page.

* Under some specific conditions, if a grant is mapped with both the
GNTMAP_device_map and GNTMAP_host_map flags, the operation may not
grab sufficient type counts.  When the grant is then unmapped, the
type count will be erroneously reduced.  This bug can be leveraged
cause a page's reference counts and type counts to fall to zero while
retaining writeable mappings to the page.

* When a grant reference is given to an MMIO region (as opposed to a
normal guest page), if the grant is mapped with only the
GNTMAP_device_map flag set, a mapping is created at host_addr anyway.
This does *not* cause reference counts to change, but there will be no
record of this mapping, so it will not be considered when reporting
whether the grant is still in use.

IMPACT
======

For the worst issue, a PV guest could gain a writeable mapping of its
own pagetable, allowing it to escalate its privileges to that of the
host.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only x86 systems are vulnerable.

Any system running untrusted PV guests is vulnerable.

Systems with untrusted HVM guests are only vulnerable if those guests
are served by a trusted PV backend which is vulnerable: Namely, one
which calls grant_map() with both the GNTMAP_device_map and
GNTMAP_host_map flags.  The security team is not aware of any backends
which are vulnerable.

MITIGATION
==========

Running only HVM guests will avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate set of attached patched resolves this issue.
Note that these patches are assumed to be applied on top of the XSA-218
ones; not doing so may cause at least mechanical problems of applying
the ones here.

xsa224-unstable/*.patch         xen-unstable
xsa218-4.8/*.patch       Xen 4.8.x
xsa218-4.7/*.patch       Xen 4.7.x
xsa218-4.6/*.patch       Xen 4.6.x
xsa218-4.5/*.patch       Xen 4.5.x

$ sha256sum xsa224* xsa224*/*
f7b0175716706acd6e9ff64e9db69f8b8efed910960b0fb8042550b21c3175bd
xsa224-unstable/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
1edb1b1ef9401f3660be02c80522cf94b6f43e942425278b8b0b1bfb0205ae43
xsa224-unstable/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
0a68f48e39f08c0597d4a7c3c50d9ad0dda5a111449736be3eba95559097f116
xsa224-unstable/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
15561d794af584a074e1ff62e203ca064cebf1de16802fe53eba8442dc10335a
xsa224-unstable/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
c4df111229ff9ab68995eb0e2fe780aaa865fa9ac432a32805b902c020811a05  xsa224-4.5/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
be5547e292408008b3c14e978ab6820eb649fcc06fa49cbb5fd76eb96fbf670e  xsa224-4.5/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
7e5e69417d9606ae7b947ce32a649625fbf7015525ce0dc62ffdeff380c74d17
xsa224-4.5/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
b96340b80632943164d6f10617e43bdb90d61192de0d17c6a7341fdfb539e126
xsa224-4.5/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
f049ed84394666da10888a07b6d86a8aa8caebbc0e63bd957ff54ae827f5c500  xsa224-4.6/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
bb6932b1d13f1dd523b143df17dc898908e06d8d302d629e7b1b791ea741ace6  xsa224-4.6/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
041b5a1b19c0a49441e41da7c479624ced3047c17d4b47962d687299062244fd
xsa224-4.6/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
07387745d52caa4d0dfe1b0e2ae18ae989020ed3c825befc7520a49e1f4d56c3
xsa224-4.6/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
d1eed96095b40a60f606fe989ffd8e64373b7f670b657eecca969036238b9591  xsa224-4.7/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
007746cc8eacd691d1259329489be1f7f4bd3ac90347c68e394b4874d9147e43  xsa224-4.7/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
506f60d51618407dcf59308b94a2495501733ade3992d801df2f58bb4a75103e
xsa224-4.7/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
a8028c6c1d45d0a899cdcf2423c0bb7fcf65b982d27b4f586e455939e58b2336
xsa224-4.7/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch
202e8d8ed00bd059cce8bc7ce7992b606089b50244e68c02ee8a0648846a7cc4  xsa224-4.8/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap.patch
ee49545a2a1c4c427dacbbc454961b6ed032f730a1703a372a4ef05e2c0f6bc3  xsa224-4.8/0002-gnttab-never-create-host-mapping-unless-asked-to.patch
818efc24ae1ebe5be45753be23bca976270a9ed3f2560a47fda112ef20f21d7e
xsa224-4.8/0003-gnttab-correct-logic-to-get-page-references-during-m.patch
9330e29a29fd01123c11ca9ab1587b099b6004e6ac1e40c6b8176a721baca7ee
xsa224-4.8/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth.patch

Comment 1 Johannes Segitz 2017-06-06 14:42:19 UTC

CRD: 2017-06-20 12:00 UTC

Comment 4 Johannes Segitz 2017-06-20 13:43:57 UTC

public

Comment 5 Swamp Workflow Management 2017-06-29 13:16:44 UTC

SUSE-SU-2017:1715-1: An update that solves three vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1034845,1037243,1042160,1042863,1042882,1042893,1042915,1042931,1042938
CVE References: CVE-2017-8309,CVE-2017-8905,CVE-2017-9330
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-44.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-44.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-44.1

Comment 6 Swamp Workflow Management 2017-06-30 19:12:37 UTC

SUSE-SU-2017:1742-1: An update that solves two vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1027519,1035642,1037243,1042160,1042882,1042893,1042915,1042923,1042924,1042931,1042938
CVE References: CVE-2017-8309,CVE-2017-9330
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.2_06-42.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.2_06-42.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.2_06-42.1

Comment 7 Swamp Workflow Management 2017-07-04 19:13:39 UTC

SUSE-SU-2017:1770-1: An update that solves 6 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1014136,1026236,1027519,1031460,1032148,1034845,1036470,1037243,1042160,1042863,1042882,1042893,1042915,1042924,1042931,1042938,1043074,1043297
CVE References: CVE-2017-8112,CVE-2017-8309,CVE-2017-8905,CVE-2017-9330,CVE-2017-9374,CVE-2017-9503
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_20-60.3
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_20-60.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_20-60.3

Comment 8 Marcus Meissner 2017-07-05 06:21:36 UTC

CVE-2017-10922 

The grant-table feature in Xen through 4.8.x mishandles MMIO region
grant references, which allows guest OS users to cause a denial of
service (loss of grant trackability), aka XSA-224 bug 3.

CVE-2017-10921 

The grant-table feature in Xen through 4.8.x does not ensure sufficient type
counts for a GNTMAP_device_map and GNTMAP_host_map mapping, which allows guest
OS users to cause a denial of service (count mismanagement and memory
corruption) or obtain privileged host OS access, aka XSA-224 bug 2.

CVE-2017-10920 

The grant-table feature in Xen through 4.8.x mishandles a GNTMAP_device_map and
GNTMAP_host_map mapping, when followed by only a GNTMAP_host_map unmapping,
which allows guest OS users to cause a denial of service (count mismanagement
and memory corruption) or obtain privileged host OS access, aka XSA-224 bug 1.

Comment 9 Swamp Workflow Management 2017-07-06 13:18:08 UTC

SUSE-SU-2017:1795-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1014136,1026236,1027519,1031460,1032148,1034845,1036470,1037243,1042160,1042863,1042882,1042893,1042915,1042924,1042931,1042938,1043074,1043297
CVE References: CVE-2017-10911,CVE-2017-10912,CVE-2017-10913,CVE-2017-10914,CVE-2017-10915,CVE-2017-10917,CVE-2017-10918,CVE-2017-10920,CVE-2017-10921,CVE-2017-10922,CVE-2017-8112,CVE-2017-8309,CVE-2017-8905,CVE-2017-9330,CVE-2017-9374,CVE-2017-9503
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_21-22.42.1
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_21-22.42.1

Comment 10 Swamp Workflow Management 2017-07-07 13:12:34 UTC

SUSE-SU-2017:1812-1: An update that solves 17 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1014136,1026236,1027519,1031460,1034845,1036470,1037243,1042160,1042863,1042882,1042893,1042915,1042923,1042924,1042931,1042938,1043074,1043297
CVE References: CVE-2017-10911,CVE-2017-10912,CVE-2017-10913,CVE-2017-10914,CVE-2017-10915,CVE-2017-10916,CVE-2017-10917,CVE-2017-10918,CVE-2017-10920,CVE-2017-10921,CVE-2017-10922,CVE-2017-8112,CVE-2017-8309,CVE-2017-8905,CVE-2017-9330,CVE-2017-9374,CVE-2017-9503
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_12-22.18.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_12-22.18.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_12-22.18.1

Comment 11 Swamp Workflow Management 2017-07-08 13:14:20 UTC

openSUSE-SU-2017:1826-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1035642,1037243,1042160,1042882,1042893,1042915,1042923,1042924,1042931,1042938
CVE References: CVE-2017-10912,CVE-2017-10913,CVE-2017-10914,CVE-2017-10915,CVE-2017-10917,CVE-2017-10918,CVE-2017-10920,CVE-2017-10921,CVE-2017-10922,CVE-2017-8309,CVE-2017-9330
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.2_06-11.9.1

Comment 12 Swamp Workflow Management 2017-08-11 09:43:46 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-08-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63827

Comment 13 Charles Arnold 2017-08-11 16:46:05 UTC

Submitted for,

SUSE:SLE-10-SP3:Update:Test
SUSE:SLE-11-SP1:Update:Teradata
SUSE:SLE-11-SP3:Update
SUSE:SLE-11-SP4:Update
SUSE:SLE-12:Update
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update

Comment 14 Marcus Meissner 2017-10-25 19:39:56 UTC

released