[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 226 (CVE-2017-12135) - multiple problems with transitive grants



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2017-12135 / XSA-226
                               version 5

               multiple problems with transitive grants

UPDATES IN VERSION 5
====================

Public release.

ISSUE DESCRIPTION
=================

1) Code to handle copy operations on transitive grants has built in
   retry logic, involving a function reinvoking itself with unchanged
   parameters.  Such use assumes that the compiler would also translate
   this to a so called "tail call" when generating machine code.
   Empirically, this is not commonly the case, allowing for
   theoretically unbounded nesting of such function calls.

2) The reference counting and locking discipline for transitive grants
   is broken.  Concurrent use of the transitive grant can leak
   references on the transitively-referenced grant.

IMPACT
======

A malicious or buggy guest may be able to crash Xen.  Privilege
escalation and information leaks cannot be ruled out.  A malicious or
buggy guest can leak references on grants it has been given, amounting
to a DoS against the grantee.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

The security team would also like to thank Amazon for helping to identify that
the problems with transitive grants were deeper than originally believed.

RESOLUTION
==========

Applying the appropriate attached patch works around this issue by disabling
transitive grants by default.

xsa226.patch           xen-unstable, Xen 4.9.x, Xen 4.8.x
xsa226-4.7.patch       Xen 4.7.x
xsa226-4.6.patch       Xen 4.6.x
xsa226-4.5.patch       Xen 4.5.x

$ sha256sum xsa226*
b09e07aaf422ae04a4ece5e2c5b5e54036cfae5b5c632bfc6953a0cacd6f60ff  xsa226.patch
ca8b92b2ff58b87e8bec137a34784cbf11e2820659046df6e1d71e23bf7e7dee  
xsa226-4.5.patch
28c7df7edabb91fb2f1fa3fc7d6906bfae75a6e701f1cd335baafaae3e087696  
xsa226-4.6.patch
fffcc0a4428723e6aea391ff4f1d27326b5a3763d2308cbde64e6a786502c702  
xsa226-4.7.patch
$

(The .meta file is a prototype machine-readable file for describing
which patches are to be applied how.)

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJZkuNKAAoJEIP+FMlX6CvZUHMIALQcTfo00unwBX9RO7lBy4na
LSkFE9yaPtA/pg5RRGo7Nrwl2nIDRc6Xc0ZkhNm0rfi1gnR0htP3jyJXxkXv1sah
jkBP0bZYfWDHRxSdVBbNNn8q0mhuanycFhVuEiu+vmTPKRUTyODkAdAoi/TkY9Iq
XD24clIrjY2xIDO3pKbDTJUZ86rHD0nepHdnnvN2rywyBd2VkJfJWGavqHgs61XX
j9jX0nI4Wcm4nQKx37MBUwwN3oYeEKrzYQY3+AGVKQEWuULP4sWRKhxZaqclCbfd
Cx/9gACwPEORU6bRXE/vzlxn7Ks6yf2tqgNAGCTrZgwW8q3SFNASHzaAM3EXz3w=
=VNkV
-----END PGP SIGNATURE-----

Attachment: xsa226.patch
Description: Binary data

Attachment: xsa226-4.5.patch
Description: Binary data

Attachment: xsa226-4.6.patch
Description: Binary data

Attachment: xsa226-4.7.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.