Bugzilla – Bug 1068187
VUL-0: CVE-2017-17044: xen: x86: infinite loop due to missing PoD error checking (XSA-246)
Last modified: 2021-01-21 18:19:39 UTC
Created attachment 748688 [details] Upstream patches Xen Security Advisory XSA-246 x86: infinite loop due to missing PoD error checking *** EMBARGOED UNTIL 2017-11-28 12:00 UTC *** ISSUE DESCRIPTION ================= Failure to recognize errors being returned from low level functions in Populate on Demand (PoD) code may result in higher level code entering an infinite loop. IMPACT ====== A malicious HVM guest can cause one pcpu to permanently hang. This normally cascades into the whole system freezing, resulting in a a host Denial of Service (DoS). VULNERABLE SYSTEMS ================== Xen versions from 3.4.x onwards are affected. Only x86 systems are vulnerable. ARM is not vulnerable. x86 PV VMs cannot leverage the vulnerability. Only systems with 2MiB or 1GiB HAP pages enabled are vulnerable. The vulnerability is largely restricted to HVM guests which have been constructed in Populate-on-Demand mode (i.e. with memory < maxmem): x86 HVM domains without PoD (i.e. started with memory == maxmem, or without mentioning "maxmem" in the guest config file) also cannot leverage the vulnerability, in recent enough Xen versions: 4.8.x and later: all versions safe if PoD not configured 4.7.x: 4.7.1 and later safe if PoD not configured 4.6.x: 4.6.4 and later safe if PoD not configured 4.5.x: 4.5.4 and later safe if PoD not configured 4.4.x and earlier: all versions vulnerable even if PoD not configured The commit required to prevent this vulnerability when PoD not configured is 2a99aa99fc84a45f505f84802af56b006d14c52e xen/physmap: Do not permit a guest to populate PoD pages for itself and the corresponding backports. MITIGATION ========== Running only PV guests will avoid this issue. Running HVM guests only in non-PoD mode (maxmem == memory) will also avoid this issue. NOTE: In older releases of Xen, an HVM guest can create PoD entries itself; so this mitigation will not be effective. Specifying "hap_1gb=0 hap_2mb=0" on the hypervisor command line will avoid the vulnerability. Alternatively, running all x86 HVM guests in shadow mode will also avoid this vulnerability. (For example, by specifying "hap=0" in the xl domain configuration file.) CREDITS ======= This issue was discovered by Julien Grall of Linaro. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa246.patch xen-unstable xsa246-4.9.patch Xen 4.9.x, Xen 4.8.x xsa246-4.7.patch Xen 4.7.x, Xen 4.6.x, Xen 4.5.x $ sha256sum xsa246* df08a3be419f2384b495dc52c3e6ebef1eb67d8b562afe85fb6fe6a723334472 xsa246.patch b41550688e88a2a7a22349a07168f3a3ddf6fad8b3389fa27de44ae6731b6a8b xsa246-4.7.patch ea591542774c22db65dcb340120cebf58e759670b5a9fbde42ee93ed594650c8 xsa246-4.9.patch
CRD: 2017-11-28 12:00 UTC
Security and maintenance updates containing this fix are submitted.
public
SUSE-SU-2017:3115-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1027519,1055047,1061075,1063123,1068187,1068191 CVE References: CVE-2017-15289,CVE-2017-15597 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): xen-4.9.1_02-3.21.1 SUSE Linux Enterprise Server 12-SP3 (src): xen-4.9.1_02-3.21.1 SUSE Linux Enterprise Desktop 12-SP3 (src): xen-4.9.1_02-3.21.1 SUSE Container as a Service Platform ALL (src): xen-4.9.1_02-3.21.1
SUSE-SU-2017:3178-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1027519,1055047,1061075,1063123,1068187,1068191 CVE References: CVE-2017-15289,CVE-2017-15597 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): xen-4.7.4_02-43.21.1 SUSE Linux Enterprise Server 12-SP2 (src): xen-4.7.4_02-43.21.1 SUSE Linux Enterprise Desktop 12-SP2 (src): xen-4.7.4_02-43.21.1
openSUSE-SU-2017:3193-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1027519,1055047,1061075,1063123,1068187,1068191 CVE References: CVE-2017-15289,CVE-2017-15597 Sources used: openSUSE Leap 42.3 (src): xen-4.9.1_02-13.2
openSUSE-SU-2017:3194-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1027519,1055047,1061075,1063123,1068187,1068191 CVE References: CVE-2017-15289,CVE-2017-15597 Sources used: openSUSE Leap 42.2 (src): xen-4.7.4_02-11.21.1
SUSE-SU-2017:3212-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1061075,1061081,1061086,1063123,1068187,1068191 CVE References: CVE-2017-15289,CVE-2017-15592,CVE-2017-15595,CVE-2017-15597 Sources used: SUSE Linux Enterprise Server 11-SP3-LTSS (src): xen-4.2.5_21-45.16.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): xen-4.2.5_21-45.16.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xen-4.2.5_21-45.16.1
SUSE-SU-2017:3236-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1055047,1056336,1061075,1061081,1061086,1063123,1068187,1068191 CVE References: CVE-2017-13672,CVE-2017-15289,CVE-2017-15592,CVE-2017-15595,CVE-2017-15597 Sources used: SUSE OpenStack Cloud 6 (src): xen-4.5.5_20-22.36.3 SUSE Linux Enterprise Server for SAP 12-SP1 (src): xen-4.5.5_20-22.36.3 SUSE Linux Enterprise Server 12-SP1-LTSS (src): xen-4.5.5_20-22.36.3
SUSE-SU-2017:3239-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1055047,1056336,1061075,1061081,1061086,1063123,1068187,1068191 CVE References: CVE-2017-13672,CVE-2017-15289,CVE-2017-15592,CVE-2017-15595,CVE-2017-15597 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): xen-4.4.4_26-22.59.3
SUSE-SU-2017:3242-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1055047,1056336,1061075,1061081,1061086,1063123,1068187,1068191 CVE References: CVE-2017-13672,CVE-2017-15289,CVE-2017-15592,CVE-2017-15595,CVE-2017-15597 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xen-4.4.4_26-61.17.1 SUSE Linux Enterprise Server 11-SP4 (src): xen-4.4.4_26-61.17.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.4_26-61.17.1
released