Bug 1458870 (CVE-2017-10911, xsa216)

Summary: CVE-2017-10911 xsa216 xen: blkif responses leak backend stack data (XSA-216)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, amit, aortega, apevec, areis, ayoung, berrange, cfergeau, chrisw, cvsbot-xmlrpc, drjones, dwmw2, imammedo, itamar, jen, jjoyce, jschluet, kbasil, knoel, lhh, lpeer, markmc, m.a.young, mkenneth, mrezanin, mst, pbonzini, ppandit, rbalakri, rbryant, rjones, rkrcmar, robinlee.sysu, sclewis, security-response-team, srevivo, tdecacqu, virt-maint, virt-maint, vkuznets, xen-maint, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-20 07:34:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1463247    
Bug Blocks: 1458881    

Description Adam Mariš 2017-06-05 17:42:49 UTC 
ISSUE DESCRIPTION
=================

The block interface response structure has some discontiguous fields.
Certain backends populate the structure fields of an otherwise
uninitialized instance of this structure on their stacks, leaking
data through the (internal or trailing) padding field.

IMPACT
======

A malicious unprivileged guest may be able to obtain sensitive
information from the host or other guests.

VULNERABLE SYSTEMS
==================

All Linux versions supporting the xen-blkback, blkback, or blktap
drivers are vulnerable.

FreeBSD, NetBSD and Windows (with our without PV drivers) are not
vulnerable (either because they do not have backends at all, or
because they use a different implementation technique which does not
suffer from this problem).

All qemu versions supporting the Xen block backend are vulnerable.  The
qemu-xen-traditional code base does not include such code, so is not
vulnerable.  Note that an instance of qemu will be spawned to provide
the backend for most non-raw-format disks; so you may need to apply the
patch to qemu even if you use only PV guests.

MITIGATION
==========

There's no mitigation available for x86 PV and ARM guests.

For x86 HVM guests it may be possible to change the guest
configuaration such that a fully virtualized disk is being made
available instead.  However, this would normally entail changes inside
the guest itself.

External References:

http://xenbits.xen.org/xsa/advisory-216.html

Acknowledgements:

Name: the Xen project
Upstream: Anthony Perard (Citrix)
Comment 1 Adam Mariš 2017-06-20 12:34:26 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1463247]