Bug 1051787 - (CVE-2017-12135) VUL-0: CVE-2017-12135: xen: possibly unbounded recursion in grant table code (XSA-226)
(CVE-2017-12135)
VUL-0: CVE-2017-12135: xen: possibly unbounded recursion in grant table code ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:NVD:CVE-2017-12135:4.6:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-02 06:21 UTC by Johannes Segitz
Modified: 2021-01-22 09:00 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
New backport for Xen 4.5. The v1 code didn't apply cleanly. (3.35 KB, patch)
2017-08-03 06:03 UTC, Johannes Segitz
Details | Diff
xsa226-v6.tar.bz2 (9.03 KB, application/octet-stream)
2017-08-17 15:35 UTC, Marcus Meissner
Details
xsa226-v7.tar.bz2 (9.10 KB, application/octet-stream)
2017-08-29 12:09 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Johannes Segitz 2017-08-02 06:21:49 UTC
CRD: 2017-08-15 12:00 UTC
Comment 2 Johannes Segitz 2017-08-03 06:03:48 UTC
Created attachment 735051 [details]
New backport for Xen 4.5.  The v1 code didn't apply cleanly.
Comment 5 Charles Arnold 2017-08-11 16:50:17 UTC
Submitted for,

SUSE:SLE-11-SP1:Update:Teradata
SUSE:SLE-11-SP3:Update
SUSE:SLE-11-SP4:Update
SUSE:SLE-12:Update
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update
SUSE:SLE-12-SP3:Update
Comment 7 Johannes Segitz 2017-08-15 06:07:54 UTC
Great timing :( Charles, do we *have* to redo our updates or is this something that we could ship next time?
Comment 8 Jan Beulich 2017-08-15 07:53:22 UTC
Well, as you should have seen on the -discuss mailing list, the earlier patch caused problems on migration (certain kinds of guests simply crashed). I'd also like to note that within the Xen Project Security Team I've voiced my resistance to this approach as a whole, as we're actively breaking the hypervisor ABI this way. This concern of mine is irrespective of there not being any known users of that particular part of the interface. I.e. I rather view this as a workaround than a permanent fix.

We certainly have a fixed version of the original patch meanwhile, plus a patch to at least partly deal with other issues with transitive grants (we've made some further progress yesterday, but there is still at least one unresolved issue).

As to deferring the fix for this XSA - I think that's rather your call. What we should avoid though is ship with the prior version of the workaround patch.
Comment 9 Johannes Segitz 2017-08-15 08:49:43 UTC
(In reply to Jan Beulich from comment #8)
Thanks, then I'll stop QA and we have to wait for a final version. I don't want to leave this unfixed.
Comment 10 Marcus Meissner 2017-08-15 12:11:53 UTC
is public now

            Xen Security Advisory CVE-2017-12135 / XSA-226
                               version 5

               multiple problems with transitive grants

UPDATES IN VERSION 5
====================

Public release.

ISSUE DESCRIPTION
=================

1) Code to handle copy operations on transitive grants has built in
   retry logic, involving a function reinvoking itself with unchanged
   parameters.  Such use assumes that the compiler would also translate
   this to a so called "tail call" when generating machine code.
   Empirically, this is not commonly the case, allowing for
   theoretically unbounded nesting of such function calls.

2) The reference counting and locking discipline for transitive grants
   is broken.  Concurrent use of the transitive grant can leak
   references on the transitively-referenced grant.

IMPACT
======

A malicious or buggy guest may be able to crash Xen.  Privilege
escalation and information leaks cannot be ruled out.  A malicious or
buggy guest can leak references on grants it has been given, amounting
to a DoS against the grantee.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.
The security team would also like to thank Amazon for helping to identify that
the problems with transitive grants were deeper than originally believed.

RESOLUTION
==========

Applying the appropriate attached patch works around this issue by disabling
transitive grants by default.

xsa226.patch           xen-unstable, Xen 4.9.x, Xen 4.8.x
xsa226-4.7.patch       Xen 4.7.x
xsa226-4.6.patch       Xen 4.6.x
xsa226-4.5.patch       Xen 4.5.x

$ sha256sum xsa226*
b09e07aaf422ae04a4ece5e2c5b5e54036cfae5b5c632bfc6953a0cacd6f60ff  xsa226.patch
ca8b92b2ff58b87e8bec137a34784cbf11e2820659046df6e1d71e23bf7e7dee  xsa226-4.5.patch
28c7df7edabb91fb2f1fa3fc7d6906bfae75a6e701f1cd335baafaae3e087696  xsa226-4.6.patch
fffcc0a4428723e6aea391ff4f1d27326b5a3763d2308cbde64e6a786502c702  xsa226-4.7.patch
$

(The .meta file is a prototype machine-readable file for describing
which patches are to be applied how.)
Comment 11 Marcus Meissner 2017-08-17 15:35:44 UTC
Created attachment 737085 [details]
xsa226-v6.tar.bz2

new patchset.
Comment 12 Marcus Meissner 2017-08-17 15:36:07 UTC
            Xen Security Advisory CVE-2017-12135 / XSA-226
                               version 6

               multiple problems with transitive grants

UPDATES IN VERSION 6
====================

Patches actually addressing the issue have become ready.

ISSUE DESCRIPTION
=================

1) Code to handle copy operations on transitive grants has built in
   retry logic, involving a function reinvoking itself with unchanged
   parameters.  Such use assumes that the compiler would also translate
   this to a so called "tail call" when generating machine code.
   Empirically, this is not commonly the case, allowing for
   theoretically unbounded nesting of such function calls.

2) The reference counting and locking discipline for transitive grants
   is broken.  Concurrent use of the transitive grant can leak
   references on the transitively-referenced grant.

IMPACT
======

A malicious or buggy guest may be able to crash Xen.  Privilege
escalation and information leaks cannot be ruled out.  A malicious or
buggy guest can leak references on grants it has been given, amounting
to a DoS against the grantee.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

The security team would also like to thank Amazon for helping to identify that
the problems with transitive grants were deeper than originally believed.

RESOLUTION
==========

Applying the appropriate attached pair of patches from the list below
addresses this issue:

xsa226-unstable/*.patch     xen-unstable
xsa226-4.9/*.patch          Xen 4.9.x, Xen 4.8.x, Xen 4.7.x
xsa226-4.6/*.patch          Xen 4.6.x
xsa226-4.5/*.patch          Xen 4.5.x

Note that these patches have already been applied to the respective staging
trees.

Alternatively, applying the appropriate attached patch from the list
below works around this issue by disabling transitive grants by default:

xsa226.patch           xen-unstable, Xen 4.9.x, Xen 4.8.x
xsa226-4.7.patch       Xen 4.7.x
xsa226-4.6.patch       Xen 4.6.x
xsa226-4.5.patch       Xen 4.5.x

$ sha256sum xsa226* xsa226*/*
b09e07aaf422ae04a4ece5e2c5b5e54036cfae5b5c632bfc6953a0cacd6f60ff  xsa226.patch
22913e87349e27bd9167d5dad2d6a449b3959516e34e78ca0ff822320c4b55da  xsa226-unstable/0001-gnttab-dont-use-possibly-unbounded-tail-calls.patch
4473fd96ce4fdea5e19e0b502d65f20bd279d82473ac34ff404ce2b2cbc10be1  xsa226-unstable/0002-gnttab-fix-transitive-grant-handling.patch
ca8b92b2ff58b87e8bec137a34784cbf11e2820659046df6e1d71e23bf7e7dee  xsa226-4.5.patch
61096dca309f48d9e63e255a7bd76a3f5fbdd7ba1c42a3d0661f6f024b553fc7  xsa226-4.5/0001-gnttab-dont-use-possibly-unbounded-tail-calls.patch
de6359e50fd2bb710469da74a596013ce275edb43d3d1c36d41452f88eee9b7d  xsa226-4.5/0002-gnttab-fix-transitive-grant-handling.patch
28c7df7edabb91fb2f1fa3fc7d6906bfae75a6e701f1cd335baafaae3e087696  xsa226-4.6.patch
9f2fb6981206d39274331316cd9cd9ee73d5f610de4891f6d13181fee9bc0529  xsa226-4.6/0001-gnttab-dont-use-possibly-unbounded-tail-calls.patch
e34dbba7b94942faeb3e6b7630ba06f01998e2b56be1035d76e67aa47e77457d  xsa226-4.6/0002-gnttab-fix-transitive-grant-handling.patch
fffcc0a4428723e6aea391ff4f1d27326b5a3763d2308cbde64e6a786502c702  xsa226-4.7.patch
624a5ba690de5de88b6fafd8429d025c013632755621f9f4e4c206e0f86419c3  xsa226-4.9/0001-gnttab-dont-use-possibly-unbounded-tail-calls.patch
01d773c5bb4cafe54daf0d14e8a3af899a7c5863513d18927c4a570a74afdb15  xsa226-4.9/0002-gnttab-fix-transitive-grant-handling.patch
$
Comment 13 Charles Arnold 2017-08-22 14:44:20 UTC
There is one more follow-up patch to this XSA posted to the mailing list.

https://lists.xen.org/archives/html/xen-devel/2017-08/msg02239.html

I have included this new fix with version 6.
Comment 14 Swamp Workflow Management 2017-08-23 15:46:56 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-08-30.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63847
Comment 15 Charles Arnold 2017-08-24 15:26:30 UTC
Everything has been submitted.
Comment 16 Marcus Meissner 2017-08-29 12:08:08 UTC
            Xen Security Advisory CVE-2017-12135 / XSA-226
                               version 7

               multiple problems with transitive grants

UPDATES IN VERSION 7
====================

First patch provided in version 6 regressed 32-bit Dom0 or backend
domains. The updated patch includes a fix for this.

ISSUE DESCRIPTION
=================

1) Code to handle copy operations on transitive grants has built in
   retry logic, involving a function reinvoking itself with unchanged
   parameters.  Such use assumes that the compiler would also translate
   this to a so called "tail call" when generating machine code.
   Empirically, this is not commonly the case, allowing for
   theoretically unbounded nesting of such function calls.

2) The reference counting and locking discipline for transitive grants
   is broken.  Concurrent use of the transitive grant can leak
   references on the transitively-referenced grant.

IMPACT
======

A malicious or buggy guest may be able to crash Xen.  Privilege
escalation and information leaks cannot be ruled out.  A malicious or
buggy guest can leak references on grants it has been given, amounting
to a DoS against the grantee.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

The security team would also like to thank Amazon for helping to identify that
the problems with transitive grants were deeper than originally believed.

RESOLUTION
==========

Applying the appropriate attached pair of patches from the list below
addresses this issue:

xsa226-unstable/*.patch     xen-unstable
xsa226-4.9/*.patch          Xen 4.9.x, Xen 4.8.x, Xen 4.7.x
xsa226-4.6/*.patch          Xen 4.6.x
xsa226-4.5/*.patch          Xen 4.5.x

Note that these patches have already been applied to the respective staging
trees.

Alternatively, applying the appropriate attached patch from the list
below works around this issue by disabling transitive grants by default:

xsa226.patch           xen-unstable, Xen 4.9.x, Xen 4.8.x
xsa226-4.7.patch       Xen 4.7.x
xsa226-4.6.patch       Xen 4.6.x
xsa226-4.5.patch       Xen 4.5.x

$ sha256sum xsa226* xsa226*/*
b09e07aaf422ae04a4ece5e2c5b5e54036cfae5b5c632bfc6953a0cacd6f60ff  xsa226.patch
d999767014501d3ac62def06ccd43b97bbbf0ef7d402d3bd70ca96ac9997a14d  xsa226-unstable/0001-gnttab-dont-use-possibly-unbounded-tail-calls.patch
4473fd96ce4fdea5e19e0b502d65f20bd279d82473ac34ff404ce2b2cbc10be1  xsa226-unstable/0002-gnttab-fix-transitive-grant-handling.patch
ca8b92b2ff58b87e8bec137a34784cbf11e2820659046df6e1d71e23bf7e7dee  xsa226-4.5.patch
ca77d01172abf263b5b731f26f5e3f74b0b8c75b3e29bee3f65a9318236daba7  xsa226-4.5/0001-gnttab-dont-use-possibly-unbounded-tail-calls.patch
de6359e50fd2bb710469da74a596013ce275edb43d3d1c36d41452f88eee9b7d  xsa226-4.5/0002-gnttab-fix-transitive-grant-handling.patch
28c7df7edabb91fb2f1fa3fc7d6906bfae75a6e701f1cd335baafaae3e087696  xsa226-4.6.patch
0186f78e99f5f6eec913da8355e0c28946a14a6099a7219bd4e0d385fdf8c306  xsa226-4.6/0001-gnttab-dont-use-possibly-unbounded-tail-calls.patch
e34dbba7b94942faeb3e6b7630ba06f01998e2b56be1035d76e67aa47e77457d  xsa226-4.6/0002-gnttab-fix-transitive-grant-handling.patch
fffcc0a4428723e6aea391ff4f1d27326b5a3763d2308cbde64e6a786502c702  xsa226-4.7.patch
3878c27b77ba24012599289e0e0fb1e5198b1e4efe2f87f7c46def5f335f2fd5  xsa226-4.9/0001-gnttab-dont-use-possibly-unbounded-tail-calls.patch
01d773c5bb4cafe54daf0d14e8a3af899a7c5863513d18927c4a570a74afdb15  xsa226-4.9/0002-gnttab-fix-transitive-grant-handling.patch
$
Comment 17 Marcus Meissner 2017-08-29 12:09:38 UTC
Created attachment 738644 [details]
xsa226-v7.tar.bz2

xsa226-v7.tar.bz2

patches attached to email
Comment 18 Marcus Meissner 2017-08-29 12:10:17 UTC
Charles, Jan?

do we need resubmission compared to current state?
Comment 19 Jan Beulich 2017-08-29 12:37:59 UTC
Only Charles can tell for sure.
Comment 20 Charles Arnold 2017-08-29 14:55:15 UTC
(In reply to Marcus Meissner from comment #18)
> Charles, Jan?
> 
> do we need resubmission compared to current state?

No. We already have this most recent fix for "32-bit Dom0 or backend domains" 
in the last submission. No resubmission is required.
Comment 21 Marcus Meissner 2017-08-29 15:02:06 UTC
thanks for checking!
Comment 22 Swamp Workflow Management 2017-09-01 01:10:15 UTC
SUSE-SU-2017:2319-1: An update that solves 6 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1002573,1046637,1047675,1048920,1049578,1051787,1051788,1052686
CVE References: CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-12135,CVE-2017-12137
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_14-22.25.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_14-22.25.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_14-22.25.1
Comment 23 Swamp Workflow Management 2017-09-01 16:09:31 UTC
SUSE-SU-2017:2326-1: An update that solves 7 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1035231,1037840,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2016-9603,CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.3_03-43.9.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.3_03-43.9.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.3_03-43.9.1
SUSE Container as a Service Platform ALL (src):    xen-4.7.3_03-43.9.1
Comment 24 Swamp Workflow Management 2017-09-01 16:11:44 UTC
SUSE-SU-2017:2327-1: An update that solves 6 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1027519,1035231,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xen-4.9.0_11-3.9.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xen-4.9.0_11-3.9.1
Comment 25 Swamp Workflow Management 2017-09-04 16:09:33 UTC
SUSE-SU-2017:2339-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1046637,1048920,1049578,1051787,1051788,1052686
CVE References: CVE-2017-10664,CVE-2017-11334,CVE-2017-11434,CVE-2017-12135,CVE-2017-12137,CVE-2017-12855
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-45.5.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.5.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.5.1
Comment 26 Swamp Workflow Management 2017-09-08 19:09:56 UTC
openSUSE-SU-2017:2394-1: An update that solves 6 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1027519,1035231,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.0_11-4.1
Comment 27 Swamp Workflow Management 2017-09-08 19:15:34 UTC
openSUSE-SU-2017:2398-1: An update that solves 7 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1035231,1037840,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2016-9603,CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.3_03-11.12.1
Comment 28 Swamp Workflow Management 2017-09-13 16:09:53 UTC
SUSE-SU-2017:2450-1: An update that solves 10 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1032598,1037413,1046637,1047675,1048920,1049578,1051787,1051788,1052686,1056278,1056281,1056282
CVE References: CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-12135,CVE-2017-12137,CVE-2017-12855,CVE-2017-14316,CVE-2017-14317,CVE-2017-14319
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_22-61.9.2
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_22-61.9.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_22-61.9.2
Comment 29 Swamp Workflow Management 2017-09-21 19:09:27 UTC
SUSE-SU-2017:2541-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1002573,1027519,1032598,1037413,1046637,1047675,1048920,1049578,1051787,1051788,1052686,1056278,1056281,1056282
CVE References: CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-12135,CVE-2017-12137,CVE-2017-12855,CVE-2017-14316,CVE-2017-14317,CVE-2017-14319
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_22-22.51.2
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_22-22.51.2
Comment 30 Marcus Meissner 2017-10-25 17:30:24 UTC
released
Comment 31 Swamp Workflow Management 2017-11-16 14:08:06 UTC
SUSE-SU-2017:2327-2: An update that solves 6 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1027519,1035231,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    xen-4.9.0_11-3.9.1