Bug 1477657 (CVE-2017-12137, xsa227)

Summary: CVE-2017-12137 xsa227 xen: x86: PV privilege escalation via map_grant_ref (XSA-227)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ailan, drjones, imammedo, knoel, m.a.young, mrezanin, pbonzini, rkrcmar, robinlee.sysu, security-response-team, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-24 09:23:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1481765    
Bug Blocks:    

Description Adam Mariš 2017-08-02 14:43:18 UTC

When mapping a grant reference, a guest must inform Xen of where it
would like the grant mapped.  For PV guests, this is done by nominating
an existing linear address, or an L1 pagetable entry, to be altered.

Neither of these PV paths check for alignment of the passed parameter.
The linear address path suitably truncates the linear address when
calculating the L1 entry to use, but the path which uses a directly
nominated L1 entry performs no checks.

This causes Xen to make an incorrectly-aligned update to a pagetable,
which corrupts both the intended entry and the subsequent entry with
values which are largely guest controlled.  If the misaligned value
crosses a page boundary, then an arbitrary other heap page is


A PV guest can elevate its privilege to that of the host.


All versions of Xen are vulnerable.

Only x86 systems are vulnerable.

Any system running untrusted PV guests is vulnerable.

The vulnerability is exposed to PV stub qemu serving as the device model
for HVM guests.  Our default assumption is that an HVM guest has
compromised its PV stub qemu.  By extension, it is likely that the
vulnerability is exposed to HVM guests which are served by a PV stub


Running only HVM guests, served by a dom0-based qemu, will avoid this

External References:


Comment 2 Adam Mariš 2017-08-15 12:31:48 UTC

Name: the Xen project
Upstream: Andrew Cooper (Citrix)

Comment 3 Adam Mariš 2017-08-15 16:15:23 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1481765]