Bug 1061081 - (CVE-2017-15595) VUL-0: CVE-2017-15595: xen: Unlimited recursion in linear pagetable de-typing (XSA-240)
(CVE-2017-15595)
VUL-0: CVE-2017-15595: xen: Unlimited recursion in linear pagetable de-typing...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/192679/
CVSSv3:SUSE:CVE-2017-15595:8.1:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-29 13:46 UTC by Marcus Meissner
Modified: 2021-01-22 09:01 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Updated patchset (180.00 KB, application/x-tar)
2017-10-10 09:19 UTC, Johannes Segitz
Details
Upstream patches (210.00 KB, application/x-tar)
2017-11-16 08:26 UTC, Johannes Segitz
Details
Updated patchset (220.00 KB, application/x-tar)
2017-12-12 13:37 UTC, Johannes Segitz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-09-29 13:46:13 UTC
CRD: 2017-10-12 12:00 UTC

                    Xen Security Advisory XSA-240

           Unlimited recursion in linear pagetable de-typing

              *** EMBARGOED UNTIL 2017-10-12 12:00 UTC ***

ISSUE DESCRIPTION
=================

x86 PV guests are permitted to set up certain forms of what is often
called "linear page tables", where pagetables contain references to
other pagetables at the same level or higher.  Certain restrictions
apply in order to fit into Xen's page type handling system.  An
important restriction was missed, however: Stacking multiple layers
of page tables of the same level on top of one another is not very
useful, and the tearing down of such an arrangement involves
recursion.  With sufficiently many layers such recursion will result
in a stack overflow, commonly resulting in Xen to crash.

IMPACT
======

A malicious or buggy PV guest may cause the hypervisor to crash,
resulting in Denial of Service (DoS) affecting the entire host.
Privilege escalation and information leaks cannot be excluded.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been checked.

Only x86 systems are affected.  ARM systems are not affected.

Only x86 PV guests can leverage the vulnerability.  x86 HVM guests
cannot leverage the vulnerability.

MITIGATION
==========

Running only HVM guests will avoid this vulnerability.

For PV guests, the vulnerability can be avoided if the guest kernel is
controlled by the host rather than guest administrator, provided that
further steps are taken to prevent the guest administrator from loading
code into the kernel (e.g. by disabling loadable modules etc) or from
using other mechanisms which allow them to run code at kernel privilege.

RESOLUTION
==========

Applying the appropriate attached patch series resolves this issue.
The first patch fixes this known issue.  The second patch in each
series disables the `linear pagetable` option by default.  It can be
re-enabled by adding "pv-linear-pt=true' on the Xen command-line.

Note that neither Linux, NetBSD, nor MiniOS use linear pagetables; the
only operating system the security team is aware of which uses this
feature is Novell Netware (last released in 2009, but still under
extended support).

xsa240/*.patch           xen-unstable
xsa240-4.9/*.patch       Xen 4.9.x
xsa240-4.8/*.patch       Xen 4.8.x
xsa240-4.7/*.patch       Xen 4.7.x
xsa240-4.6/*.patch       Xen 4.6.x
xsa240-4.5/*.patch       Xen 4.5.x

$ sha256sum xsa240* xsa240*/*
ea124888b3d26534c9f90821f812695830ba0126fd7764d42ec111946d23a256  xsa240.meta
f47b9b371200f220a1c4ac072e471c91266458bc4e070912a0cbee6e79f2caef  xsa240-4.5/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
1bfaeb015d8494b13ed2f9a43b7d1d78cb3cfdb8172bf789fc50eb4a9d3c5a96  xsa240-4.5/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
45d985164262288c62f6a48e65ea153b91bf2fe70e093eb4eb0860820ea9281f  xsa240-4.6/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
2987f43ca9e4622033b22ce180c50a0de259171b54b41e84dbd54f37be3e69d5  xsa240-4.6/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
6b8361007cde799e4dce6a1160eea1494f4afabed1f15e51be05cc7d187723b1  xsa240-4.7/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
048be721e3bfae8ebeb91bfe3514461d68e40cc1cb6b246ca1c7c787e8166ae1  xsa240-4.7/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
502ab499ca537205cdbb6615f9c00069d8bcb5a16eee5e938c779253b702b652  xsa240-4.8/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
e661f7d5ed792baf08491fa966616291a4a777199a04c7359d34a3beba5487ed  xsa240-4.8/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
13cc2d7123f476fade3cda6251d5a9ccd38eed2b4aeb7175eadf0608d62fd464  xsa240-4.9/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
3de0a105a83b4598e37640fb2371535edcf6df4e838c9c43f2a7bedeab352c6a  xsa240-4.9/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
da8a5e53a187f09b4d77e30fe192b70fb96c40ee1c5fc7508072d05a3969a704  xsa240/0001-x86-limit-linear-page-table-use-to-a-single-level.patch
4be9c7248ef3038a2686e5b3dbd103508f4adec1c31979d7ef9bede213611108  xsa240/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch
$
Comment 2 Johannes Segitz 2017-10-10 09:19:01 UTC
Created attachment 743677 [details]
Updated patchset

UPDATES IN VERSION 2
====================

Correct placement of code addition to _put_final_page_type() in the
actual fixes. Minor cosmetic fixes to the disable-by-default patches.

Correct Resolution section: NetBSD does use linear pagetables.
Comment 3 Charles Arnold 2017-10-11 14:57:15 UTC
Submitted for,
SUSE:SLE-10-SP3:Update:Test
SUSE:SLE-11-SP1:Update:Teradata
SUSE:SLE-11-SP3:Update
SUSE:SLE-11-SP4:Update
SUSE:SLE-12:Update
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update
SUSE:SLE-12-SP3:Update
Comment 4 Swamp Workflow Management 2017-10-12 07:36:27 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-10-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63882
Comment 5 Johannes Segitz 2017-10-12 12:53:03 UTC
public
Comment 6 Swamp Workflow Management 2017-10-17 16:17:12 UTC
SUSE-SU-2017:2751-1: An update that solves one vulnerability and has 10 fixes is now available.

Category: security (important)
Bug References: 1027519,1055321,1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-5526
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xen-4.9.0_14-3.18.1
SUSE Linux Enterprise Server 12-SP3 (src):    xen-4.9.0_14-3.18.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xen-4.9.0_14-3.18.1
Comment 7 Swamp Workflow Management 2017-10-20 19:08:39 UTC
SUSE-SU-2017:2812-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1059777,1061076,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-45.11.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.11.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.11.1
Comment 8 Swamp Workflow Management 2017-10-20 19:10:55 UTC
SUSE-SU-2017:2815-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1059777,1061076,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_24-61.12.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_24-61.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_24-61.12.1
Comment 9 Swamp Workflow Management 2017-10-20 22:12:17 UTC
openSUSE-SU-2017:2821-1: An update that solves 8 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1055321,1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.0_14-10.1
Comment 10 Swamp Workflow Management 2017-10-26 16:10:00 UTC
SUSE-SU-2017:2856-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1059777,1061076,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_24-22.54.1
Comment 11 Swamp Workflow Management 2017-10-27 13:10:38 UTC
SUSE-SU-2017:2864-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1027519,1057358,1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15591,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.3_06-43.15.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.3_06-43.15.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.3_06-43.15.1
SUSE Container as a Service Platform ALL (src):    xen-4.7.3_06-43.15.1
Comment 12 Swamp Workflow Management 2017-10-27 19:11:05 UTC
SUSE-SU-2017:2873-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15591,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_18-22.31.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_18-22.31.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_18-22.31.1
Comment 13 Swamp Workflow Management 2017-11-01 17:10:40 UTC
openSUSE-SU-2017:2916-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1027519,1057358,1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15591,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.3_06-11.18.1
Comment 14 Johannes Segitz 2017-11-16 08:26:13 UTC
Created attachment 748890 [details]
Upstream patches

UPDATES IN VERSION 5
====================

New final patch, addressing an issue found with the original fix,
which cannot be excluded to be by itself another security issue (not
fully addressing the original issue); crashes (assertion failures)
have been observed with custom debug builds of patched hypervisors.
Comment 16 Charles Arnold 2017-11-22 17:58:56 UTC
Security and maintenance updates containing this fix are submitted.
Comment 17 Swamp Workflow Management 2017-11-23 11:57:31 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-12-07.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63897
Comment 18 Swamp Workflow Management 2017-12-05 20:08:50 UTC
SUSE-SU-2017:3212-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1061075,1061081,1061086,1063123,1068187,1068191
CVE References: CVE-2017-15289,CVE-2017-15592,CVE-2017-15595,CVE-2017-15597
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-45.16.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.16.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.16.1
Comment 19 Swamp Workflow Management 2017-12-07 20:13:30 UTC
SUSE-SU-2017:3236-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1055047,1056336,1061075,1061081,1061086,1063123,1068187,1068191
CVE References: CVE-2017-13672,CVE-2017-15289,CVE-2017-15592,CVE-2017-15595,CVE-2017-15597
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_20-22.36.3
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_20-22.36.3
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_20-22.36.3
Comment 20 Swamp Workflow Management 2017-12-08 11:10:11 UTC
SUSE-SU-2017:3239-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1055047,1056336,1061075,1061081,1061086,1063123,1068187,1068191
CVE References: CVE-2017-13672,CVE-2017-15289,CVE-2017-15592,CVE-2017-15595,CVE-2017-15597
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_26-22.59.3
Comment 21 Swamp Workflow Management 2017-12-08 11:13:42 UTC
SUSE-SU-2017:3242-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1055047,1056336,1061075,1061081,1061086,1063123,1068187,1068191
CVE References: CVE-2017-13672,CVE-2017-15289,CVE-2017-15592,CVE-2017-15595,CVE-2017-15597
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_26-61.17.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_26-61.17.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_26-61.17.1
Comment 22 Johannes Segitz 2017-12-12 13:37:31 UTC
Created attachment 752579 [details]
Updated patchset

UPDATES IN VERSION 6
====================

Yet another new patch, addressing another issue similar to the one
addressed in v5.

Please include the updated fixes in the next update
Comment 23 Marcus Meissner 2018-02-12 20:56:06 UTC
reassign for updated patches
Comment 24 Swamp Workflow Management 2018-02-14 14:08:30 UTC
SUSE-SU-2018:0438-1: An update that solves 10 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1035442,1051729,1061081,1067317,1068032,1070158,1070159,1070160,1070163,1074562,1076116,1076180
CVE References: CVE-2017-15595,CVE-2017-17563,CVE-2017-17564,CVE-2017-17565,CVE-2017-17566,CVE-2017-18030,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-5683
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xen-4.9.1_08-3.26.1
SUSE Linux Enterprise Server 12-SP3 (src):    xen-4.9.1_08-3.26.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xen-4.9.1_08-3.26.1
SUSE CaaS Platform ALL (src):    xen-4.9.1_08-3.26.1
Comment 25 Swamp Workflow Management 2018-02-16 11:13:32 UTC
openSUSE-SU-2018:0459-1: An update that solves 10 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1035442,1051729,1061081,1067317,1068032,1070158,1070159,1070160,1070163,1074562,1076116,1076180
CVE References: CVE-2017-15595,CVE-2017-17563,CVE-2017-17564,CVE-2017-17565,CVE-2017-17566,CVE-2017-18030,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-5683
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.1_08-16.1
Comment 26 Swamp Workflow Management 2018-02-19 14:12:18 UTC
SUSE-SU-2018:0472-1: An update that solves 10 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1027519,1035442,1051729,1061081,1068032,1070158,1070159,1070160,1070163,1074562,1076116,1076180
CVE References: CVE-2017-15595,CVE-2017-17563,CVE-2017-17564,CVE-2017-17565,CVE-2017-17566,CVE-2017-18030,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-5683
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.4_06-43.24.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.4_06-43.24.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.4_06-43.24.1
Comment 27 Swamp Workflow Management 2018-03-05 14:09:06 UTC
SUSE-SU-2018:0601-1: An update that solves 10 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1035442,1061081,1068032,1070158,1070159,1070160,1070163,1074562,1076116,1076180,1080635,1080662
CVE References: CVE-2017-15595,CVE-2017-17563,CVE-2017-17564,CVE-2017-17565,CVE-2017-17566,CVE-2017-18030,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-5683
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_28-22.62.1
Comment 28 Swamp Workflow Management 2018-03-05 20:09:21 UTC
SUSE-SU-2018:0609-1: An update that solves 10 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1035442,1061081,1068032,1070158,1070159,1070160,1070163,1074562,1076116,1076180,1080635,1080662
CVE References: CVE-2017-15595,CVE-2017-17563,CVE-2017-17564,CVE-2017-17565,CVE-2017-17566,CVE-2017-18030,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-5683
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_24-22.43.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_24-22.43.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_24-22.43.1
Comment 29 Swamp Workflow Management 2018-03-08 20:11:04 UTC
SUSE-SU-2018:0638-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1027519,1031382,1035442,1061081,1068032,1070158,1070159,1070160,1070163,1074562,1076116,1076180,1080635,1080662
CVE References: CVE-2017-15595,CVE-2017-17563,CVE-2017-17564,CVE-2017-17565,CVE-2017-17566,CVE-2017-18030,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-5683
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_28-61.23.2
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_28-61.23.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_28-61.23.2
Comment 30 Swamp Workflow Management 2018-03-14 23:09:23 UTC
SUSE-SU-2018:0678-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1024307,1030144,1061081,1068032,1070158,1070159,1070160,1070163,1074562,1076116,1076180,1080635,1080662
CVE References: CVE-2017-11334,CVE-2017-15595,CVE-2017-17563,CVE-2017-17564,CVE-2017-17565,CVE-2017-17566,CVE-2017-18030,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2017-5898,CVE-2018-5683,CVE-2018-7540,CVE-2018-7541
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-45.19.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.19.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.19.1
Comment 31 Charles Arnold 2018-03-27 22:02:50 UTC
This fix has been released on the following repos,

SUSE:SLE-10-SP3:Update:Test
SUSE:SLE-11-SP1:Update:Teradata
SUSE:SLE-11-SP3:Update
SUSE:SLE-11-SP3:Update:Teradata
SUSE:SLE-11-SP4:Update
SUSE:SLE-12:Update
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update
SUSE:SLE-12-SP3:Update

The bug may be closed.
Comment 32 Marcus Meissner 2018-08-27 10:51:03 UTC
released