Bug 1477651 (CVE-2017-12136, xsa228)

Summary: CVE-2017-12136 xsa228 xen: grant_table: Race conditions with maptrack free list handling (XSA-228)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ailan, drjones, imammedo, knoel, m.a.young, mrezanin, pbonzini, rkrcmar, robinlee.sysu, security-response-team, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-24 09:23:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1481765    
Bug Blocks:    

Description Adam Mariš 2017-08-02 14:36:33 UTC
ISSUE DESCRIPTION
=================

The grant table code in Xen has a bespoke semi-lockfree allocator for
recording grant mappings ("maptrack" entries).  This allocator has a
race which allows the free list to be corrupted.

Specifically: the code for removing an entry from the free list, prior
to use, assumes (without locking) that if inspecting head item shows
that it is not the tail, it will continue to not be the tail of the
list if it is later found to be still the head and removed with
cmpxchg.  But the entry might have been removed and replaced, with the
result that it might be the tail by then.  (The invariants for the
semi-lockfree data structure were never formally documented.)

Additionally, a stolen entry is put on the free list with an incorrect
link field, which will very likely corrupt the list.

IMPACT
======

A malicious guest administrator can crash the host, and can probably
escalate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

Xen 4.6 and later are vulnerable.

Xen 4.5 and earlier are not vulnerable.

MITIGATION
==========

There is no mitigation for this vulnerability.

External References:

http://xenbits.xen.org/xsa/advisory-228.html

Comment 2 Adam Mariš 2017-08-15 12:35:12 UTC
Acknowledgments:

Name: the Xen project
Upstream: Ian Jackson (Citrix)

Comment 3 Adam Mariš 2017-08-15 16:15:05 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1481765]