Bug 1051789 - (CVE-2017-12136) VUL-0: CVE-2017-12136: xen: grant_table: Race conditions with maptrack free list handling (XSA-228)
(CVE-2017-12136)
VUL-0: CVE-2017-12136: xen: grant_table: Race conditions with maptrack free l...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:SUSE:CVE-2017-12136:8.1:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-02 06:30 UTC by Johannes Segitz
Modified: 2017-11-16 14:08 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Meta file (1.52 KB, text/plain)
2017-08-03 06:22 UTC, Johannes Segitz
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Johannes Segitz 2017-08-02 06:30:52 UTC
CRD: 2017-08-15 12:00 UTC
Comment 2 Johannes Segitz 2017-08-03 06:22:43 UTC
Created attachment 735060 [details]
Meta file
Comment 3 Charles Arnold 2017-08-11 16:57:39 UTC
Submitted for,

SUSE:SLE-12-SP2:Update
SUSE:SLE-12-SP3:Update
Comment 4 Marcus Meissner 2017-08-15 12:52:15 UTC
is public

            Xen Security Advisory CVE-2017-12136 / XSA-228
                               version 3

     grant_table: Race conditions with maptrack free list handling

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The grant table code in Xen has a bespoke semi-lockfree allocator for
recording grant mappings ("maptrack" entries).  This allocator has a
race which allows the free list to be corrupted.

Specifically: the code for removing an entry from the free list, prior
to use, assumes (without locking) that if inspecting head item shows
that it is not the tail, it will continue to not be the tail of the
list if it is later found to be still the head and removed with
cmpxchg.  But the entry might have been removed and replaced, with the
result that it might be the tail by then.  (The invariants for the
semi-lockfree data structure were never formally documented.)

Additionally, a stolen entry is put on the free list with an incorrect
link field, which will very likely corrupt the list.

IMPACT
======

A malicious guest administrator can crash the host, and can probably
escalate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

Xen 4.6 and later are vulnerable.

Xen 4.5 and earlier are not vulnerable.

MITIGATION
==========

There is no mitigation for this vulnerability.

CREDITS
=======

This issue was discovered by Ian Jackson of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa228.patch           xen-unstable, Xen 4.9.x
xsa228-4.8.patch       Xen 4.8.x, Xen 4.7.x, Xen 4.6.x

$ sha256sum xsa228*
35a1a7f8905770fa64da0756fe3e0400bb8c28ecae0b7cf80e749cb7962018db  xsa228.meta
1979e111442517891b483e316a15a760a4c992ac4440f95e361ff12f4bebff62  xsa228.patch
5a7416f15ac9cd7cace354b6102ff58199fe0581f65a36a36869650c71784e48  xsa228-4.8.patch
$
Comment 5 Swamp Workflow Management 2017-09-01 16:09:52 UTC
SUSE-SU-2017:2326-1: An update that solves 7 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1035231,1037840,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2016-9603,CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.3_03-43.9.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.3_03-43.9.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.3_03-43.9.1
SUSE Container as a Service Platform ALL (src):    xen-4.7.3_03-43.9.1
Comment 6 Swamp Workflow Management 2017-09-01 16:12:01 UTC
SUSE-SU-2017:2327-1: An update that solves 6 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1027519,1035231,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xen-4.9.0_11-3.9.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xen-4.9.0_11-3.9.1
Comment 7 Swamp Workflow Management 2017-09-08 19:10:18 UTC
openSUSE-SU-2017:2394-1: An update that solves 6 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1027519,1035231,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.0_11-4.1
Comment 8 Swamp Workflow Management 2017-09-08 19:15:53 UTC
openSUSE-SU-2017:2398-1: An update that solves 7 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1035231,1037840,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2016-9603,CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.3_03-11.12.1
Comment 9 Marcus Meissner 2017-10-25 17:30:38 UTC
released
Comment 10 Swamp Workflow Management 2017-11-16 14:08:25 UTC
SUSE-SU-2017:2327-2: An update that solves 6 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1027519,1035231,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    xen-4.9.0_11-3.9.1