Bug 1068191 - (CVE-2017-17045) VUL-0: CVE-2017-17045: xen: Missing p2m error checking in PoD code (XSA-247)
(CVE-2017-17045)
VUL-0: CVE-2017-17045: xen: Missing p2m error checking in PoD code (XSA-247)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:RedHat:CVE-2017-17045:8.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-15 10:04 UTC by Johannes Segitz
Modified: 2021-01-21 18:19 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-11-15 10:04:00 UTC
Created attachment 748692 [details]
Upstream patches

Xen Security Advisory XSA-247

                 Missing p2m error checking in PoD code

              *** EMBARGOED UNTIL 2017-11-28 12:00 UTC ***

ISSUE DESCRIPTION
=================

Certain actions require modification of entries in a guest's P2M
(Physical-to-Machine) table.  When large pages are in use for this
table, such an operation may incur a memory allocation (to replace a
large mapping with individual smaller ones).  If this allocation
fails, the p2m_set_entry() function will return an error.

Unfortunately, several places in the populate-on-demand code don't
check the return value of p2m_set_entry() to see if it succeeded.

In some cases, the operation was meant to remove an entry from the p2m
table.  If this removal fails, a malicious guest may engineer that the
page be returned to the Xen free list, making it available to be
allocated to another domain, while it retains a writable mapping to
the page.

In other cases, the operation was meant to remove special
populate-on-demand entries; if this removal fails, the internal
accounting becomes inconsistent and may eventually hit a BUG().

The allocation involved comes from a separate pool of memory created
when the domain is created; under normal operating conditions it never
fails, but a malicious guest may be able to engineer situations where
this pool is exhausted.

IMPACT
======

An unprivileged guest can retain a writable mapping of freed memory.
Depending on how this page is used, it could result in either an
information leak, or full privilege escalation.

Alternatively, an unprivileged guest can cause Xen to hit a BUG(),
causing a clean crash - ie, host-wide denial-of-service (DoS).

VULNERABLE SYSTEMS
==================

All systems from Xen 3.4 are vulnerable.

Only x86 systems are vulnerable.  ARM is not vulnerable.

x86 PV VMs cannot leverage the vulnerability.

Only systems with 2MiB or 1GiB HAP pages enabled are vulnerable.

The vulnerability is largely restricted to HVM guests which have been
constructed in Populate-on-Demand mode (i.e. with memory < maxmem):

x86 HVM domains without PoD (i.e. started with memory == maxmem, or
without mentioning "maxmem" in the guest config file) also cannot
leverage the vulnerability, in recent enough Xen versions:
  4.8.x and later: all versions safe if PoD not configured
  4.7.x: 4.7.1 and later safe if PoD not configured
  4.6.x: 4.6.4 and later safe if PoD not configured
  4.5.x: 4.5.4 and later safe if PoD not configured
  4.4.x and earlier: all versions vulnerable even if PoD not configured

The commit required to prevent this vulnerability when PoD
not configured is 2a99aa99fc84a45f505f84802af56b006d14c52e
  xen/physmap: Do not permit a guest to populate PoD pages for itself
and the corresponding backports.

MITIGATION
==========

Running only PV guests will avoid this issue.

Running HVM guests only in non-PoD mode (maxmem == memory) will also
avoid this issue.  NOTE: In older releases of Xen, an HVM guest can
create PoD entries itself; so this mitigation will not be effective.

Specifying "hap_1gb=0 hap_2mb=0" on the hypervisor command line will
also avoid the vulnerability.

Alternatively, running all x86 HVM guests in shadow mode will also
avoid this vulnerability.  (For example, by specifying "hap=0" in the
xl domain configuration file.)

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa247/*.patch           xen-unstable
xsa247-4.9/*.patch       Xen 4.9.x
xsa247-4.8/*.patch       Xen 4.8.x
xsa247-4.7/*.patch       Xen 4.7.x
xsa247-4.6/*.patch       Xen 4.6.x
xsa247-4.5/*.patch       Xen 4.5.x
Comment 1 Johannes Segitz 2017-11-15 10:04:18 UTC
CRD: 2017-11-28 12:00 UTC
Comment 2 Charles Arnold 2017-11-22 17:58:19 UTC
Security and maintenance updates containing this fix are submitted.
Comment 3 Johannes Segitz 2017-11-28 12:42:00 UTC
public
Comment 4 Swamp Workflow Management 2017-11-29 18:39:06 UTC
SUSE-SU-2017:3115-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1027519,1055047,1061075,1063123,1068187,1068191
CVE References: CVE-2017-15289,CVE-2017-15597
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xen-4.9.1_02-3.21.1
SUSE Linux Enterprise Server 12-SP3 (src):    xen-4.9.1_02-3.21.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xen-4.9.1_02-3.21.1
SUSE Container as a Service Platform ALL (src):    xen-4.9.1_02-3.21.1
Comment 5 Swamp Workflow Management 2017-12-01 17:12:42 UTC
SUSE-SU-2017:3178-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1027519,1055047,1061075,1063123,1068187,1068191
CVE References: CVE-2017-15289,CVE-2017-15597
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.4_02-43.21.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.4_02-43.21.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.4_02-43.21.1
Comment 6 Swamp Workflow Management 2017-12-02 17:11:34 UTC
openSUSE-SU-2017:3193-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1027519,1055047,1061075,1063123,1068187,1068191
CVE References: CVE-2017-15289,CVE-2017-15597
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.1_02-13.2
Comment 7 Swamp Workflow Management 2017-12-02 17:12:22 UTC
openSUSE-SU-2017:3194-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1027519,1055047,1061075,1063123,1068187,1068191
CVE References: CVE-2017-15289,CVE-2017-15597
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.4_02-11.21.1
Comment 8 Swamp Workflow Management 2017-12-05 20:09:23 UTC
SUSE-SU-2017:3212-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1061075,1061081,1061086,1063123,1068187,1068191
CVE References: CVE-2017-15289,CVE-2017-15592,CVE-2017-15595,CVE-2017-15597
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-45.16.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.16.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.16.1
Comment 9 Swamp Workflow Management 2017-12-07 20:14:02 UTC
SUSE-SU-2017:3236-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1055047,1056336,1061075,1061081,1061086,1063123,1068187,1068191
CVE References: CVE-2017-13672,CVE-2017-15289,CVE-2017-15592,CVE-2017-15595,CVE-2017-15597
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_20-22.36.3
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_20-22.36.3
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_20-22.36.3
Comment 10 Swamp Workflow Management 2017-12-08 11:11:23 UTC
SUSE-SU-2017:3239-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1055047,1056336,1061075,1061081,1061086,1063123,1068187,1068191
CVE References: CVE-2017-13672,CVE-2017-15289,CVE-2017-15592,CVE-2017-15595,CVE-2017-15597
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_26-22.59.3
Comment 11 Swamp Workflow Management 2017-12-08 11:14:14 UTC
SUSE-SU-2017:3242-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1055047,1056336,1061075,1061081,1061086,1063123,1068187,1068191
CVE References: CVE-2017-13672,CVE-2017-15289,CVE-2017-15592,CVE-2017-15595,CVE-2017-15597
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_26-61.17.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_26-61.17.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_26-61.17.1
Comment 12 Marcus Meissner 2018-02-12 21:01:16 UTC
reelased