Bug 1169392 - (CVE-2020-11742) VUL-0: CVE-2020-11742: xen: Bad continuation handling in GNTTABOP_copy (XSA-318)
(CVE-2020-11742)
VUL-0: CVE-2020-11742: xen: Bad continuation handling in GNTTABOP_copy (XSA-...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3.1:SUSE:CVE-2020-11742:4.3:(AV...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-04-14 08:59 UTC by Alexandros Toptsoglou
Modified: 2022-04-14 15:35 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Alexandros Toptsoglou 2020-04-14 12:28:34 UTC
now public through oss 

            Xen Security Advisory CVE-2020-11742 / XSA-318
                               version 3

              Bad continuation handling in GNTTABOP_copy

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Grant table operations are expected to return 0 for success, and a
negative number for errors.  The fix for CVE-2017-12135 / XSA-226
introduced a path through grant copy handling where success may be
returned to the caller without any action taken.

In particular the status fields of individual operations are left
uninitialised, and may result in errant behaviour in the caller of
GNTTABOP_copy.

IMPACT
======

A buggy or malicious guest can construct its grant table in such a way
that, when a backend domain tries to copy a grant, it hits the incorrect
exit path.

This returns success to the caller without doing anything, which may
cause in crashes or other incorrect behaviour.

VULNERABLE SYSTEMS
==================

Systems running any version of Xen are vulnerable.

MITIGATION
==========

Only guests with access to transitive grants can exploit the
vulnerability.  In particular, this means that:

 * ARM systems which have taken the XSA-268 fix are not vulnerable, as
   Grant Table v2 was disabled for other security reasons.

 * All systems with the XSA-226 fixes, and booted with
   `gnttab=max-ver:1` or `gnttab=no-transitive` are not vulnerable.

CREDITS
=======

This issue was discovered by Pawel Wieczorkiewicz of Amazon and Jürgen
Groß of SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa318.patch       Xen 4.9 - xen-unstable

$ sha256sum xsa318*
4618c2609ab08178977c2b2a3d13f380ccfddd0168caca5ced708dd76a8e547c  xsa318.patch
$

NOTE CONCERNING SHORT EMBARGO
=============================

This issue was discovered in response to the XSA-316 predisclosure.

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

However, deployment of the mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because it is a guest visible change which will draw attention
to the issue.
Comment 5 Swamp Workflow Management 2020-04-28 10:21:21 UTC
SUSE-SU-2020:1124-1: An update that solves 5 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1027519,1134506,1155200,1157490,1160932,1165206,1167007,1167152,1168140,1168142,1168143,1169392
CVE References: CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    xen-4.12.2_04-3.15.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    xen-4.12.2_04-3.15.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xen-4.12.2_04-3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2020-04-29 16:29:03 UTC
SUSE-SU-2020:1138-1: An update that solves 6 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1155200,1160932,1161181,1167152,1168140,1168142,1168143,1169392
CVE References: CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743,CVE-2020-7211
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    xen-4.11.3_04-2.23.1
SUSE Linux Enterprise Server 12-SP4 (src):    xen-4.11.3_04-2.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-04-29 17:05:58 UTC
SUSE-SU-2020:1139-1: An update that solves 6 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 1027519,1134506,1155200,1157490,1160932,1161181,1162040,1165206,1167007,1167152,1168140,1168142,1168143,1169392
CVE References: CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743,CVE-2020-7211
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.2_04-3.11.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.2_04-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-05-01 22:41:25 UTC
openSUSE-SU-2020:0599-1: An update that solves 5 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1027519,1134506,1155200,1157490,1160932,1165206,1167007,1167152,1168140,1168142,1168143,1169392
CVE References: CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743
Sources used:
openSUSE Leap 15.1 (src):    xen-4.12.2_04-lp151.2.15.1
Comment 10 Swamp Workflow Management 2020-06-16 19:13:32 UTC
SUSE-SU-2020:1630-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1157888,1158003,1158004,1158005,1158006,1158007,1161181,1167152,1168140,1168142,1169392,1172205
CVE References: CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19583,CVE-2020-0543,CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-7211
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_06-3.62.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_06-3.62.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_06-3.62.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_06-3.62.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_06-3.62.1
SUSE Enterprise Storage 5 (src):    xen-4.9.4_06-3.62.1
HPE Helion Openstack 8 (src):    xen-4.9.4_06-3.62.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-06-17 13:13:24 UTC
SUSE-SU-2020:1634-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1167152,1168140,1168142,1168143,1169392,1172205
CVE References: CVE-2020-0543,CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_10-3.31.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_10-3.31.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_10-3.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-08-04 19:40:56 UTC
SUSE-SU-2020:14444-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1152497,1154448,1154456,1154458,1154461,1155945,1157888,1158004,1158005,1158006,1158007,1161181,1163019,1168140,1169392,1174543
CVE References: CVE-2018-12207,CVE-2019-11135,CVE-2019-18420,CVE-2019-18421,CVE-2019-18424,CVE-2019-18425,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19583,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-7211,CVE-2020-8608
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_42-61.52.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_42-61.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-08-11 16:18:50 UTC
SUSE-SU-2020:14448-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1154456,1154458,1161181,1163019,1168140,1169392,1174543
CVE References: CVE-2019-18421,CVE-2019-18425,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-7211,CVE-2020-8608
JIRA References: 
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_22-45.36.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_22-45.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-08-13 13:18:48 UTC
SUSE-SU-2020:2234-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1163019,1168140,1168142,1169392,1174543
CVE References: CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-8608
JIRA References: 
Sources used:
SUSE OpenStack Cloud 7 (src):    xen-4.7.6_08-43.64.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xen-4.7.6_08-43.64.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xen-4.7.6_08-43.64.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_08-43.64.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Charles Arnold 2021-01-22 20:14:18 UTC
Backported and released to 11-SP1.
Comment 20 Gabriele Sonnu 2022-04-14 15:35:49 UTC
Done.