Bug 1056280 - (CVE-2017-14318) VUL-0: CVE-2017-14318: xen: Missing check for grant table (XSA-232)
(CVE-2017-14318)
VUL-0: CVE-2017-14318: xen: Missing check for grant table (XSA-232)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/191224/
CVSSv2:SUSE:CVE-2017-14318:6.0:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-30 05:32 UTC by Marcus Meissner
Modified: 2020-06-09 07:34 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xsa232.patch (669 bytes, patch)
2017-08-30 05:36 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-08-30 05:32:20 UTC
via prenotification

CRD: 2017-09-12 12:00 


                    Xen Security Advisory XSA-232

                     Missing check for grant table

              *** EMBARGOED UNTIL 2017-09-12 12:00 UTC ***

ISSUE DESCRIPTION
=================

The function `__gnttab_cache_flush` handles GNTTABOP_cache_flush grant
table operations. It checks to see if the calling domain is the owner
of the page that is to be operated on. If it is not, the owner's grant
table is checked to see if a grant mapping to the calling domain
exists for the page in question.

However, the function does not check to see if the owning domain
actually has a grant table or not. Some special domains, such as
`DOMID_XEN`, `DOMID_IO` and `DOMID_COW` are created without grant
tables. Hence, if __gnttab_cache_flush operates on a page owned by
these special domains, it will attempt to dereference a null pointer
in the domain struct.


IMPACT
======

The guest can get Xen to dereference a NULL pointer.

For ARM guests, and x86 HVM guests, and x86 PV guests on systems with
SMAP enabled, this will cause a host crash (denial-of-service).

For x86 PV guests on systems without SMAP enabled, an attacker can map
a crafted grant structure at virtual address 0.  This can be leveraged
to increment an arbitrary virtual address, which can then probably be
leveraged into a full privilege escalation.


VULNERABLE SYSTEMS
==================

All versions of Xen since Xen 4.5 are vulnerable.

ARM systems; x86 systems running only unprivileged HVM guests; and
x86 systems with SMAP enabled: these are only vulnerable to a
Denial-of-Service (host crash).

x86 systems without SMAP running unprivileged PV guests are
vulnerable to a privilege escalation.

MITIGATION
==========

Hardware supporting Supervisor Mode Access Prevention (Intel Broadwell,
AMD Zen) can mitigate the privilege escalation to a DoS.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa232.patch           xen-unstable, 4.9, 4.8, 4.7, 4.6, 4.5

$ sha256sum xsa232*
27dd23dd2b64ed4f1e846dc4281fdd32395e291f3ea917e12b5ccf6e0728a9b6  xsa232.patch
$
Comment 1 Marcus Meissner 2017-08-30 05:36:48 UTC
Created attachment 738769 [details]
xsa232.patch

xsa232.patch
Comment 2 Johannes Segitz 2017-09-11 14:04:42 UTC
UPDATES IN VERSION 2
====================

Amend the IMPACT and VULNERABLE SYSTEMS section in light of the
discovery that x86 HVM guests do not expose the vulnerability.

IMPACT
======

The guest can get Xen to dereference a NULL pointer.

For ARM guests and x86 PV guests on systems with SMAP enabled, this will
cause a host crash (denial-of-service).

For x86 PV guests on systems without SMAP enabled, an attacker can map
a crafted grant structure at virtual address 0.  This can be leveraged
to increment an arbitrary virtual address, which can then probably be
leveraged into a full privilege escalation.


VULNERABLE SYSTEMS
==================

All versions of Xen since Xen 4.5 are vulnerable.

x86 HVM guests do not expose the vulnerability.

ARM guests and x86 PV guests on systems with SMAP enabled are only
vulnerable to a Denial-of-Service (host crash).

x86 PV guests on systems without SMAP running are vulnerable to a
privilege escalation.
Comment 3 Johannes Segitz 2017-09-12 11:23:23 UTC
This is CVE-2017-14318
Comment 4 Johannes Segitz 2017-09-12 13:12:27 UTC
public
Comment 5 Swamp Workflow Management 2017-09-12 19:08:52 UTC
SUSE-SU-2017:2420-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1055695,1056278,1056280,1056281,1056282,1057358
CVE References: CVE-2017-14316,CVE-2017-14317,CVE-2017-14318,CVE-2017-14319
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xen-4.9.0_12-3.15.1
SUSE Linux Enterprise Server 12-SP3 (src):    xen-4.9.0_12-3.15.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xen-4.9.0_12-3.15.1
Comment 6 Swamp Workflow Management 2017-09-14 19:08:50 UTC
SUSE-SU-2017:2466-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1056278,1056280,1056281,1056282
CVE References: CVE-2017-14316,CVE-2017-14317,CVE-2017-14318,CVE-2017-14319
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_16-22.28.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_16-22.28.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_16-22.28.1
Comment 7 Swamp Workflow Management 2017-09-17 22:10:49 UTC
openSUSE-SU-2017:2514-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1055695,1056278,1056280,1056281,1056282,1057358
CVE References: CVE-2017-14316,CVE-2017-14317,CVE-2017-14318,CVE-2017-14319
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.0_12-7.1
Comment 8 Swamp Workflow Management 2017-09-18 13:09:54 UTC
SUSE-SU-2017:2519-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1027519,1055695,1056278,1056280,1056281,1056282
CVE References: CVE-2017-14316,CVE-2017-14317,CVE-2017-14318,CVE-2017-14319
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.3_04-43.12.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.3_04-43.12.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.3_04-43.12.1
SUSE Container as a Service Platform ALL (src):    xen-4.7.3_04-43.12.1
Comment 9 Andreas Stieger 2017-09-21 06:50:20 UTC
done
Comment 10 Swamp Workflow Management 2017-09-21 10:09:20 UTC
openSUSE-SU-2017:2540-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1027519,1055695,1056278,1056280,1056281,1056282
CVE References: CVE-2017-14316,CVE-2017-14317,CVE-2017-14318,CVE-2017-14319
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.3_04-11.15.1