Bug 1090823 - (CVE-2018-10981) VUL-0: CVE-2018-10981: xen: qemu may drive Xen into unbounded loop (XSA-262)
(CVE-2018-10981)
VUL-0: CVE-2018-10981: xen: qemu may drive Xen into unbounded loop (XSA-262)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/204860/
CVSSv3:RedHat:CVE-2018-10981:6.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-25 06:25 UTC by Johannes Segitz
Modified: 2021-01-21 18:20 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Charles Arnold 2018-05-02 22:28:18 UTC
The following submit requests have been done,

SUSE:SLE-12-SP3:Update: 164188
SUSE:SLE-12-SP2:Update: 164189
SUSE:SLE-12-SP1:Update: 164190
SUSE:SLE-12:Update: 164191
SUSE:SLE-11-SP4:Update: 164192
Comment 3 Charles Arnold 2018-05-03 20:20:40 UTC
The following submit requests have been done,

SUSE:SLE-11-SP3:Update:Teradata: 164377
SUSE:SLE-11-SP3:Update: 164378
SUSE:SLE-11-SP1:Update:Teradata: 164379
Comment 4 Charles Arnold 2018-05-07 16:49:41 UTC
Patches for this bug have been submitted for the following distros,

SUSE:SLE-10-SP3:Update:Test
SUSE:SLE-11-SP1:Update:Teradata
SUSE:SLE-11-SP3:Update
SUSE:SLE-11-SP3:Update:Teradata
SUSE:SLE-11-SP4:Update
SUSE:SLE-12:Update
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update
SUSE:SLE-12-SP3:Update
Comment 5 Marcus Meissner 2018-05-08 17:11:27 UTC
is public

                    Xen Security Advisory XSA-262
                              version 2

                qemu may drive Xen into unbounded loop

UPDATES IN VERSION 2
====================

Public release.

Updated .meta file

ISSUE DESCRIPTION
=================

When Xen sends requests to a device model, the next expected action
inside Xen is tracked using a state field.  The requests themselves
are placed in a memory page shared with the device model, so that the
device model can communicate to Xen its progress on the request.  The
state field is in the request itself, where the device model may write
to it.  Xen correctly rejects invalid state values, but failed to reject
invalid transitions between states.  As a result, a device model which
switches a request between two states at the right times can drive Xen
into an unbounded loop.

IMPACT
======

A malicious unprivileged device model can cause a Denial of Service
(DoS) affecting the entire host.  Specifically, it may prevent use of a
physical CPU for an indeterminate period of time.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.
Only x86 systems are affected.  ARM systems are not affected.

Only HVM guests can expose this vulnerability.  PV and PVH guests cannot
expose this vulnerability, but note that the domains being able to
leverage the vulnerability are PV or PVH ones, running the device model.

This vulnerability is only applicable to Xen systems using stub domains.

MITIGATION
==========

Running only PV or PVH guests will avoid this issue.

(The security of a Xen system using stub domains is still better than
with a qemu-dm running as an unrestricted dom0 process.  Therefore
users with these configurations should not switch to an unrestricted
dom0 qemu-dm.)

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa262.patch           xen-unstable
xsa262-4.10.patch      Xen 4.10.x
xsa262-4.9.patch       Xen 4.9.x, Xen 4.8.x, Xen 4.7.x
xsa262-4.6.patch       Xen 4.6.x

$ sha256sum xsa262*
a5a3458c5efdad282bd769fcab2b94ebfe0a979befae3b4703201fcbf0970cc7  xsa262.meta
5aa73753d3eec8ae391b1364c430df7517bf4bdb3e65a8e6e8431898348f4ad9  xsa262.patch
7196b468b916bf956f8dc0cab20a5c29f8a1bfa4de4e4fa982b7b9c8494e4c0d  xsa262-4.6.patch
ec2b6ba9ed1d5e97fed4b54767160a75fe19d67e4519f716739bebdb78816191  xsa262-4.9.patch
91d3b329131b6d434b268c0c55fd4900033fce8b2582bd9278ae967efc980fb0  xsa262-4.10.patch
$
Comment 6 Swamp Workflow Management 2018-05-09 11:34:19 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-05-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64029
Comment 7 Swamp Workflow Management 2018-05-09 16:10:03 UTC
SUSE-SU-2018:1177-1: An update that solves four vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1027519,1057493,1072834,1083292,1086107,1089152,1089635,1090820,1090822,1090823
CVE References: CVE-2018-10471,CVE-2018-10472,CVE-2018-7550,CVE-2018-8897
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_30-22.65.1
Comment 8 Swamp Workflow Management 2018-05-09 16:18:52 UTC
SUSE-SU-2018:1181-1: An update that solves four vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1027519,1035442,1057493,1072834,1083292,1086107,1089152,1089635,1090820,1090822,1090823
CVE References: CVE-2018-10471,CVE-2018-10472,CVE-2018-7550,CVE-2018-8897
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_30-61.26.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_30-61.26.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_30-61.26.1
Comment 9 Swamp Workflow Management 2018-05-09 19:11:30 UTC
SUSE-SU-2018:1184-1: An update that solves 6 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1027519,1072834,1080634,1080635,1080662,1087251,1087252,1089152,1089635,1090820,1090822,1090823
CVE References: CVE-2018-10471,CVE-2018-10472,CVE-2018-7540,CVE-2018-7541,CVE-2018-7542,CVE-2018-8897
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xen-4.9.2_04-3.29.1
SUSE Linux Enterprise Server 12-SP3 (src):    xen-4.9.2_04-3.29.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xen-4.9.2_04-3.29.1
SUSE CaaS Platform ALL (src):    xen-4.9.2_04-3.29.1
Comment 10 Swamp Workflow Management 2018-05-10 16:08:21 UTC
SUSE-SU-2018:1202-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1083292,1089152,1089635,1090820,1090822,1090823
CVE References: CVE-2018-10471,CVE-2018-10472,CVE-2018-7550,CVE-2018-8897
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_24-22.46.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_24-22.46.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_24-22.46.1
Comment 11 Swamp Workflow Management 2018-05-10 19:08:16 UTC
SUSE-SU-2018:1203-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1083292,1089152,1089635,1090820,1090822,1090823
CVE References: CVE-2018-10471,CVE-2018-10472,CVE-2018-7550,CVE-2018-8897
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-45.22.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.22.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.22.1
Comment 12 Alexander Bergmann 2018-05-11 07:43:14 UTC
CVE-2018-10981 was assigned to this issue.
Comment 13 Swamp Workflow Management 2018-05-11 13:08:25 UTC
SUSE-SU-2018:1216-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1027519,1086039,1089152,1089635,1090820,1090822,1090823
CVE References: CVE-2018-10471,CVE-2018-10472,CVE-2018-8897
Sources used:
SUSE OpenStack Cloud 7 (src):    xen-4.7.5_02-43.30.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xen-4.7.5_02-43.30.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xen-4.7.5_02-43.30.1
SUSE Enterprise Storage 4 (src):    xen-4.7.5_02-43.30.1
Comment 14 Swamp Workflow Management 2018-05-11 22:38:55 UTC
openSUSE-SU-2018:1274-1: An update that solves 6 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1027519,1072834,1080634,1080635,1080662,1087251,1087252,1089152,1089635,1090820,1090822,1090823
CVE References: CVE-2018-10471,CVE-2018-10472,CVE-2018-7540,CVE-2018-7541,CVE-2018-7542,CVE-2018-8897
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.2_04-19.2
Comment 15 Swamp Workflow Management 2018-05-29 10:12:28 UTC
SUSE-SU-2018:1456-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1074562,1090296,1090822,1090823,1092631
CVE References: CVE-2018-10981,CVE-2018-10982,CVE-2018-3639
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xen-4.9.2_06-3.32.1
SUSE Linux Enterprise Server 12-SP3 (src):    xen-4.9.2_06-3.32.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xen-4.9.2_06-3.32.1
SUSE CaaS Platform ALL (src):    xen-4.9.2_06-3.32.1
Comment 16 Swamp Workflow Management 2018-06-01 13:09:10 UTC
openSUSE-SU-2018:1487-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1074562,1090296,1090822,1090823,1092631
CVE References: CVE-2018-10981,CVE-2018-10982,CVE-2018-3639
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.2_06-22.1
Comment 17 Swamp Workflow Management 2018-06-05 15:11:24 UTC
This is an autogenerated message for OBS integration:
This bug (1090823) was mentioned in
https://build.opensuse.org/request/show/614322 15.0 / xen
Comment 18 Andreas Stieger 2018-06-09 08:26:09 UTC
releasing for Leap 15.0,  resolving as done
Comment 19 Swamp Workflow Management 2018-08-27 13:09:43 UTC
SUSE-SU-2018:2528-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1074562,1079730,1090822,1090823,1091107,1092631,1095242,1096224,1097206,1097521,1097522,1098744
CVE References: CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-10981,CVE-2018-10982,CVE-2018-11806,CVE-2018-12617,CVE-2018-12891,CVE-2018-12893,CVE-2018-3639,CVE-2018-3646,CVE-2018-3665
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-45.25.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.25.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.25.1
Comment 20 Swamp Workflow Management 2018-10-18 18:17:43 UTC
SUSE-SU-2018:3230-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1086039,1089152,1089635,1090820,1090822,1090823
CVE References: CVE-2017-5754,CVE-2018-10471,CVE-2018-10472,CVE-2018-8897
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.5_02-43.30.1