Bug 1061076 – VUL-0: CVE-2017-15590: xen: multiple MSI mapping issues on x86 (XSA-237)

Bug 1061076 - (CVE-2017-15590) VUL-0: CVE-2017-15590: xen: multiple MSI mapping issues on x86 (XSA-237)

(CVE-2017-15590)
Summary:	VUL-0: CVE-2017-15590: xen: multiple MSI mapping issues on x86 (XSA-237)

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/192677/
Whiteboard:	CVSSv3:RedHat:CVE-2017-15590:6.8:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-09-29 13:31 UTC by Marcus Meissner
Modified:	2021-01-22 09:00 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2017-09-29 13:31:31 UTC

Xen Security Advisory XSA-237

                  multiple MSI mapping issues on x86

              *** EMBARGOED UNTIL 2017-10-12 12:00 UTC ***

ISSUE DESCRIPTION
=================

Multiple issues exist with the setup of PCI MSI interrupts:
- - unprivileged guests were permitted access to devices not owned by
  them, in particular allowing them to disable MSI or MSI-X on any
  device
- - HVM guests can trigger a codepath intended only for PV guests
- - some failure paths partially tear down previously configured
  interrupts, leaving inconsistent state
- - with XSM enabled, caller and callee of a hook disagreed about the
  data structure pointed to by a type-less argument

IMPACT
======

A malicious or buggy guest may cause the hypervisor to crash, resulting
in Denial of Service (DoS) affecting the entire host.  Privilege
escalation and information leaks cannot be excluded.

VULNERABLE SYSTEMS
==================

All Xen versions from at 3.3 onwards are vulnerable.  Xen versions 3.2
and earlier are not vulnerable.

Only x86 systems are affected.  ARM systems are not affected.

Only guests which have a physical device assigned to them can exploit
the vulnerability.

MITIGATION
==========

Not passing through physical devices to untrusted guests will avoid
the vulnerability.

The vulnerability can be avoided if the guest kernel is controlled by
the host rather than guest administrator, provided that further steps
are taken to prevent the guest administrator from loading code into the
kernel (e.g. by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.

RESOLUTION
==========

Applying the appropriate attached set of patches resolves this issue.

xsa237-unstable/*.patch     xen-unstable
xsa237-4.9/*.patch          Xen 4.9.x
xsa237-4.8/*.patch          Xen 4.8.x, Xen 4.7.x
xsa237-4.6/*.patch          Xen 4.6.x
xsa237-4.5/*.patch          Xen 4.5.x

$ sha256sum xsa237* xsa237*/*
1d4d3fa452e91d235fd688761d695752bde2f2e91fd9b17f566c4cee23ae26d0  xsa237.meta
8b501128552d57191563224a832318f6c3fcd4c1d1420bb2c27a8de575fda207  xsa237-unstable/0001-x86-dont-allow-MSI-pIRQ-mapping-on-unowned-device.patch
1957b6bf63cbe7e8a216ef2cb838cad8c5258aeb4475efce97b726c16f55bd09  xsa237-unstable/0002-x86-enforce-proper-privilege-when-mapping-pIRQ-s.patch
0ba4d02aced9dea25e5cc502f2aa550337031392b2a62b1970cf7410dffb3aa4  xsa237-unstable/0003-x86-MSI-disallow-redundant-enabling.patch
ba6947d4860517335f028433555bfe1cf2be327a789688d77a87679764f56ae9  xsa237-unstable/0004-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-error.patch
dc5f27245e44582db682ac53f24007685ea2f8cb104bad9b4d6afeaa7c4e73d2  xsa237-unstable/0005-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook.patch
7000b3d75076aabe5f0b63b8425df0ad54e7bcd55ae4997d444df4ef7bd2c77e  xsa237-4.5/0001-x86-dont-allow-MSI-pIRQ-mapping-on-unowned-device.patch
ceb6c60129979666dc3fe6c300a60f9451598ed5066ed4d91f58af25f4576cb3  xsa237-4.5/0002-x86-enforce-proper-privilege-when-mapping-pIRQ-s.patch
93dad46c97a6862eb01172841efff3b2781947dbbf6aa2a072779fe3a17f1b23  xsa237-4.5/0003-x86-MSI-disallow-redundant-enabling.patch
b02331203be91def0988ddd7f0da89755b6d04680800eef75e2808b2c7ed3662  xsa237-4.5/0004-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-error.patch
60169e2016451e1c479c4f873ee6798b6abc46e3223a60a4b83bac20a7a3d27c  xsa237-4.5/0005-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook.patch
7000b3d75076aabe5f0b63b8425df0ad54e7bcd55ae4997d444df4ef7bd2c77e  xsa237-4.6/0001-x86-dont-allow-MSI-pIRQ-mapping-on-unowned-device.patch
5d8797ff8e3571d248bfc0a808c42637d1c83b93398c56f3b446d688602f0346  xsa237-4.6/0002-x86-enforce-proper-privilege-when-mapping-pIRQ-s.patch
0ba4d02aced9dea25e5cc502f2aa550337031392b2a62b1970cf7410dffb3aa4  xsa237-4.6/0003-x86-MSI-disallow-redundant-enabling.patch
b02331203be91def0988ddd7f0da89755b6d04680800eef75e2808b2c7ed3662  xsa237-4.6/0004-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-error.patch
4cdcd71758d9e5b392c38aeafc9960a4f3ef5c109508e69b2218a8d8394edf0b  xsa237-4.6/0005-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook.patch
010e95afa11e48c06cb05c000451ec4824a25b806185e4b89623816f655f9e5e  xsa237-4.8/0001-x86-dont-allow-MSI-pIRQ-mapping-on-unowned-device.patch
754398dc81ae051d46a9aac907500717b4936472d7751bf0150d2d95d4962c9c  xsa237-4.8/0002-x86-enforce-proper-privilege-when-mapping-pIRQ-s.patch
0ba4d02aced9dea25e5cc502f2aa550337031392b2a62b1970cf7410dffb3aa4  xsa237-4.8/0003-x86-MSI-disallow-redundant-enabling.patch
24519a9f1960ae868b35a407aa5b3ba7e42ce808a7c097cbdc4aa38e13e353dd  xsa237-4.8/0004-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-error.patch
fef5c77f19e2c6229912f1fd19cbcb41c1ce554ff53be22198b2f34ea7a27314  xsa237-4.8/0005-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook.patch
25ccde051ff16c0ae66b1a4725d5010e75d0ef8fe619068742a61cf1afa90eac  xsa237-4.9/0001-x86-dont-allow-MSI-pIRQ-mapping-on-unowned-device.patch
07fbbdbbc664f137b6fcef2724819416aade21cd2b805a0a67a86f8ccf94910f  xsa237-4.9/0002-x86-enforce-proper-privilege-when-mapping-pIRQ-s.patch
0ba4d02aced9dea25e5cc502f2aa550337031392b2a62b1970cf7410dffb3aa4  xsa237-4.9/0003-x86-MSI-disallow-redundant-enabling.patch
10c02e3d84acf5a049e2d1a6cc77f4326d0c5795d60807d13b372d3d6b5e5ba1  xsa237-4.9/0004-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-error.patch
7f3955a8218850ee2cc9ddd9d11fdc25f526d32e80e189d063e3e779d448af40  xsa237-4.9/0005-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook.patch
$

Comment 2 Marcus Meissner 2017-09-29 13:39:36 UTC

CRD: 2017-10-12 12:00 UTC

Comment 3 Charles Arnold 2017-10-11 14:53:39 UTC

Submitted for,
Devel:Virt:SLE-11-SP1
Devel:Virt:SLE-11-SP3
Devel:Virt:SLE-11-SP4
Devel:Virt:SLE-12
Devel:Virt:SLE-12-SP1
Devel:Virt:SLE-12-SP2
Devel:Virt:SLE-12-SP3

Comment 4 Charles Arnold 2017-10-11 15:03:54 UTC

Actually submitted for,
SUSE:SLE-11-SP1:Update:Teradata
SUSE:SLE-11-SP3:Update
SUSE:SLE-11-SP4:Update
SUSE:SLE-12:Update
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update
SUSE:SLE-12-SP3:Update

Comment 5 Johannes Segitz 2017-10-12 12:51:10 UTC

public

Comment 6 Swamp Workflow Management 2017-10-17 16:16:41 UTC

SUSE-SU-2017:2751-1: An update that solves one vulnerability and has 10 fixes is now available.

Category: security (important)
Bug References: 1027519,1055321,1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-5526
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xen-4.9.0_14-3.18.1
SUSE Linux Enterprise Server 12-SP3 (src):    xen-4.9.0_14-3.18.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xen-4.9.0_14-3.18.1

Comment 7 Swamp Workflow Management 2017-10-20 19:08:24 UTC

SUSE-SU-2017:2812-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1059777,1061076,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-45.11.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.11.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.11.1

Comment 8 Swamp Workflow Management 2017-10-20 19:10:40 UTC

SUSE-SU-2017:2815-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1059777,1061076,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_24-61.12.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_24-61.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_24-61.12.1

Comment 9 Swamp Workflow Management 2017-10-20 22:11:55 UTC

openSUSE-SU-2017:2821-1: An update that solves 8 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1055321,1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.0_14-10.1

Comment 10 Swamp Workflow Management 2017-10-26 16:09:41 UTC

SUSE-SU-2017:2856-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1059777,1061076,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_24-22.54.1

Comment 11 Swamp Workflow Management 2017-10-27 13:10:09 UTC

SUSE-SU-2017:2864-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1027519,1057358,1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15591,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.3_06-43.15.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.3_06-43.15.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.3_06-43.15.1
SUSE Container as a Service Platform ALL (src):    xen-4.7.3_06-43.15.1

Comment 12 Swamp Workflow Management 2017-10-27 19:10:39 UTC

SUSE-SU-2017:2873-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15591,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_18-22.31.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_18-22.31.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_18-22.31.1

Comment 13 Swamp Workflow Management 2017-11-01 17:10:14 UTC

openSUSE-SU-2017:2916-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1027519,1057358,1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15591,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.3_06-11.18.1

Comment 14 Marcus Meissner 2018-02-12 20:55:06 UTC

released