Bug 1458878 (CVE-2017-10920, CVE-2017-10921, CVE-2017-10922, xsa224)

Summary: CVE-2017-10920 CVE-2017-10921 CVE-2017-10922 xsa224 xen: grant table operations mishandle reference counts (XSA-224)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ailan, drjones, imammedo, knoel, m.a.young, mrezanin, pbonzini, rkrcmar, robinlee.sysu, security-response-team, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-24 09:22:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1463247    
Bug Blocks:    

Description Adam Mariš 2017-06-05 17:43:35 UTC 
ISSUE DESCRIPTION
=================

We have discovered a number of bugs in the code mapping and unmapping
grant references.

* If a grant is mapped with both the GNTMAP_device_map and
GNTMAP_host_map flags, but unmapped only with host_map, the device_map
portion remains but the page reference counts are lowered as though it
had been removed. This bug can be leveraged cause a page's reference
counts and type counts to fall to zero while retaining writeable
mappings to the page.

* Under some specific conditions, if a grant is mapped with both the
GNTMAP_device_map and GNTMAP_host_map flags, the operation may not
grab sufficient type counts.  When the grant is then unmapped, the
type count will be erroneously reduced.  This bug can be leveraged
cause a page's reference counts and type counts to fall to zero while
retaining writeable mappings to the page.

* When a grant reference is given to an MMIO region (as opposed to a
normal guest page), if the grant is mapped with only the
GNTMAP_device_map flag set, a mapping is created at host_addr anyway.
This does *not* cause reference counts to change, but there will be no
record of this mapping, so it will not be considered when reporting
whether the grant is still in use.

IMPACT
======

For the worst issue, a PV guest could gain a writeable mapping of its
own pagetable, allowing it to escalate its privileges to that of the
host.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only x86 systems are vulnerable.

Any system running untrusted PV guests is vulnerable.

Systems with untrusted HVM guests are only vulnerable if those guests
are served by a trusted PV backend which is vulnerable: Namely, one
which calls grant_map() with both the GNTMAP_device_map and
GNTMAP_host_map flags.  The security team is not aware of any backends
which are vulnerable.

Mitigation:

Running only HVM guests will avoid this vulnerability.

External References:

http://xenbits.xen.org/xsa/advisory-224.html

Acknowledgements:

Name: the Xen project
Upstream: Jan Beulich (SUSE)
Comment 1 Adam Mariš 2017-06-20 12:36:46 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1463247]