Bug 1304627 (CVE-2016-2270, xsa154)

Summary: CVE-2016-2270 xsa154 xen: inconsistent cachability flags on guest mappings (XSA-154)
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-26 12:28:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1309324    
Bug Blocks: 1304631    

Description Martin Prpič 2016-02-04 08:51:40 UTC
ISSUE DESCRIPTION
=================

Multiple mappings of the same physical page with different cachability setting can cause problems. While one category (risk of using stale data) affects only guests themselves (and hence avoiding this can be left for them to control), the other category being Machine Check exceptions can be fatal to entire hosts. According to the information we were able to gather, only mappings of MMIO pages may surface this second category, but even for them there were cases where the hypervisor did not properly enforce consistent cachability.

IMPACT
======

A malicious guest administrator might be able to cause a reboot, denying service to the entire host.

VULNERABLE SYSTEMS
==================

Only x86 guests given control over some physical device can trigger this vulnerability. ARM systems are not vulnerable.

The vulnerability depends on the system response to mapping the same memory with different cacheability. On some systems this is harmless; on others, depending on CPU and chipset, it may be fatal.

MITIGATION
==========

Not handing physical devices to guests will also avoid this issue.


External References:

http://xenbits.xen.org/xsa/advisory-154.html

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue.

Comment 1 Andrej Nemec 2016-02-17 13:24:42 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1309324]

Comment 2 Andrej Nemec 2016-02-17 13:24:55 UTC
Public via:

http://seclists.org/oss-sec/2016/q1/356

Comment 3 Fedora Update System 2016-02-26 19:23:31 UTC
xen-4.5.2-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2016-03-06 23:18:33 UTC
xen-4.5.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.