Bugzilla – Bug 1051788
VUL-0: CVE-2017-12137: xen: x86: PV privilege escalation via map_grant_ref (XSA-227)
Last modified: 2021-01-21 18:18:27 UTC
CRD: 2017-08-15 12:00 UTC
Created attachment 735053 [details] Fixed 4.5 backport
Created attachment 735056 [details] metadata file
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-08-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63827
Submitted for, SUSE:SLE-10-SP3:Update:Test SUSE:SLE-11-SP1:Update:Teradata SUSE:SLE-11-SP3:Update SUSE:SLE-11-SP4:Update SUSE:SLE-12:Update SUSE:SLE-12-SP1:Update SUSE:SLE-12-SP2:Update SUSE:SLE-12-SP3:Update
is public Xen Security Advisory CVE-2017-12137 / XSA-227 version 3 x86: PV privilege escalation via map_grant_ref UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When mapping a grant reference, a guest must inform Xen of where it would like the grant mapped. For PV guests, this is done by nominating an existing linear address, or an L1 pagetable entry, to be altered. Neither of these PV paths check for alignment of the passed parameter. The linear address path suitably truncates the linear address when calculating the L1 entry to use, but the path which uses a directly nominated L1 entry performs no checks. This causes Xen to make an incorrectly-aligned update to a pagetable, which corrupts both the intended entry and the subsequent entry with values which are largely guest controlled. If the misaligned value crosses a page boundary, then an arbitrary other heap page is corrupted. IMPACT ====== A PV guest can elevate its privilege to that of the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Only x86 systems are vulnerable. Any system running untrusted PV guests is vulnerable. The vulnerability is exposed to PV stub qemu serving as the device model for HVM guests. Our default assumption is that an HVM guest has compromised its PV stub qemu. By extension, it is likely that the vulnerability is exposed to HVM guests which are served by a PV stub qemu. MITIGATION ========== Running only HVM guests, served by a dom0-based qemu, will avoid this vulnerability. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa227.patch xen-unstable, Xen 4.9.x, 4.8.x, 4.7.x xsa227-4.6.patch Xen 4.6.x xsa227-4.5.patch Xen 4.5.x $ sha256sum xsa227* c48cc3be47e81a4ceebcf60659b8755516c68916fc5150920ed42c6b61e3f219 xsa227.meta 9923a47e5f86949800887596f098954a08ef73a01d74b1dbe16cab2e6b1fabb2 xsa227.patch 6f83d0d9ff853192840d2b82d26d8fde21473bf4ac1441a153f3ee02efd1dd67 xsa227-4.5.patch 162b991b27b86f210089526a01cae715563d3a069c92f42538b423bba7709fcc xsa227-4.6.patch $ (The .meta file is a prototype machine-readable file for describing which patches are to be applied how.)
SUSE-SU-2017:2319-1: An update that solves 6 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1002573,1046637,1047675,1048920,1049578,1051787,1051788,1052686 CVE References: CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-12135,CVE-2017-12137 Sources used: SUSE OpenStack Cloud 6 (src): xen-4.5.5_14-22.25.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): xen-4.5.5_14-22.25.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): xen-4.5.5_14-22.25.1
SUSE-SU-2017:2326-1: An update that solves 7 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1002573,1026236,1035231,1037840,1046637,1049578,1051787,1051788,1051789,1052686,1055695 CVE References: CVE-2016-9603,CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): xen-4.7.3_03-43.9.1 SUSE Linux Enterprise Server 12-SP2 (src): xen-4.7.3_03-43.9.1 SUSE Linux Enterprise Desktop 12-SP2 (src): xen-4.7.3_03-43.9.1 SUSE Container as a Service Platform ALL (src): xen-4.7.3_03-43.9.1
SUSE-SU-2017:2327-1: An update that solves 6 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 1002573,1026236,1027519,1035231,1046637,1049578,1051787,1051788,1051789,1052686,1055695 CVE References: CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): xen-4.9.0_11-3.9.1 SUSE Linux Enterprise Desktop 12-SP3 (src): xen-4.9.0_11-3.9.1
SUSE-SU-2017:2339-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1046637,1048920,1049578,1051787,1051788,1052686 CVE References: CVE-2017-10664,CVE-2017-11334,CVE-2017-11434,CVE-2017-12135,CVE-2017-12137,CVE-2017-12855 Sources used: SUSE Linux Enterprise Server 11-SP3-LTSS (src): xen-4.2.5_21-45.5.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): xen-4.2.5_21-45.5.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xen-4.2.5_21-45.5.1
openSUSE-SU-2017:2394-1: An update that solves 6 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 1002573,1026236,1027519,1035231,1046637,1049578,1051787,1051788,1051789,1052686,1055695 CVE References: CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855 Sources used: openSUSE Leap 42.3 (src): xen-4.9.0_11-4.1
openSUSE-SU-2017:2398-1: An update that solves 7 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1002573,1026236,1035231,1037840,1046637,1049578,1051787,1051788,1051789,1052686,1055695 CVE References: CVE-2016-9603,CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855 Sources used: openSUSE Leap 42.2 (src): xen-4.7.3_03-11.12.1
SUSE-SU-2017:2450-1: An update that solves 10 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1027519,1032598,1037413,1046637,1047675,1048920,1049578,1051787,1051788,1052686,1056278,1056281,1056282 CVE References: CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-12135,CVE-2017-12137,CVE-2017-12855,CVE-2017-14316,CVE-2017-14317,CVE-2017-14319 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xen-4.4.4_22-61.9.2 SUSE Linux Enterprise Server 11-SP4 (src): xen-4.4.4_22-61.9.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.4_22-61.9.2
SUSE-SU-2017:2541-1: An update that solves 10 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1002573,1027519,1032598,1037413,1046637,1047675,1048920,1049578,1051787,1051788,1052686,1056278,1056281,1056282 CVE References: CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-12135,CVE-2017-12137,CVE-2017-12855,CVE-2017-14316,CVE-2017-14317,CVE-2017-14319 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): xen-4.4.4_22-22.51.2 SUSE Linux Enterprise Server 12-LTSS (src): xen-4.4.4_22-22.51.2
released
SUSE-SU-2017:2327-2: An update that solves 6 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 1002573,1026236,1027519,1035231,1046637,1049578,1051787,1051788,1051789,1052686,1055695 CVE References: CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855 Sources used: SUSE Linux Enterprise Server 12-SP3 (src): xen-4.9.0_11-3.9.1