Bug 1486707 (CVE-2017-14316, xsa231)

Summary: CVE-2017-14316 xsa231 xen: Missing NUMA node parameter verification (XSA-231)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ailan, drjones, imammedo, jforbes, knoel, m.a.young, mrezanin, pbonzini, rkrcmar, robinlee.sysu, security-response-team, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:22:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1490884    
Bug Blocks:    

Description Adam Mariš 2017-08-30 11:55:41 UTC

The function `alloc_heap_pages` allows callers to specify the first
NUMA node that should be used for allocations through the `memflags`
parameter; the node is extracted using the `MEMF_get_node` macro.

While the function checks to see if the special constant
`NUMA_NO_NODE` is specified, it otherwise does not handle the case
where `node >= MAX_NUMNODES`.  This allows an out-of-bounds access
to an internal array.


An attacker using crafted hypercalls can execute arbitrary code within


All versions of Xen are affected.

Both ARM and x86 are affected.

Both systems running HVM guests and system running PV guests are


No known mitigation.

External References:


Comment 1 Adam Mariš 2017-09-12 12:22:08 UTC

Name: Matthew Daley

Comment 2 Adam Mariš 2017-09-12 12:23:53 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1490884]