Bug 1608559 (CVE-2018-14678)

Summary: CVE-2018-14678 xen: Uninitialized state in x86 PV failsafe callback path (XSA-274)
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, ailan, bhu, blc, bmasney, brdeoliv, dhoward, drjones, dvlasenk, esammons, fhrbata, hkrzesin, iboverma, imammedo, jforbes, jlelli, jross, jshortt, jstancek, kcarcia, kernel-mgr, knoel, lgoncalv, matt, m.a.young, mcressma, mlangsdo, mrezanin, nmurray, pbonzini, ptalbert, qzhao, robinlee.sysu, rt-maint, rvrbovsk, vkuznets, walters, williams, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-22 04:31:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1608560    
Bug Blocks: 1608561    

Description Pedro Sampaio 2018-07-25 19:58:12 UTC 
Xen Security Advisory XSA-274

Linux: Uninitialized state in PV syscall return path

ISSUE DESCRIPTION
=================

Linux has a `failsafe` callback, invoked by Xen under certain
conditions. Normally in this failsafe callback, error_entry is paired
with error_exit; and error_entry uses %ebx to communicate to
error_exit whether to use the user or kernel return path.

Unfortunately, on 64-bit PV Xen on x86, error_exit is called without
error_entry being called first, leaving %ebx with an invalid value.

IMPACT
======

A rogue user-space program could crash a guest kernel. Privilege
escalation cannot be ruled out.

VULNERABLE SYSTEMS
==================

Only 64-bit x86 PV Linux systems are vulnerable.

All versions of Linux are vulnerable.

MITIGATION
==========

Switching to HVM or PVH guests will mitigate this issue.

CREDITS
=======

This issue was discovered by M. Vefa Bicakci, and recognized as a
security issue by Andy Lutorminski.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

NB this patch has not been accepted into Linux upstream yet. An
updated advisory will be sent if the fix upstreamed looks
significantly different.

xsa274-linux-4.17.patch Linux 4.17

$ sha256sum xsa274*
0c30cb13d1d573f446c8cb8d4824ffad8ef9149a7589a19ef9bcc83c07bddcf5 xsa274-linux-4.17.patch
$

NOTE ON THE LACK OF EMBARGO
===========================

The patch for this issue was published on linux-kernel without being
first reported to the XenProject Security Team.
Comment 1 Pedro Sampaio 2018-07-25 19:58:28 UTC 
Acknowledgments:

Name: M. Vefa Bicakci, the Xen project
Upstream: Andy Lutorminski
Comment 2 Pedro Sampaio 2018-07-25 19:58:51 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1608560]
Comment 4 Product Security DevOps Team 2020-04-22 04:31:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-14678
Comment 5 Petr Matousek 2020-06-24 11:57:28 UTC 
Statement:

This issue only affects guests running as Xen paravirtualized (PV) guests. Starting with Red Hat Enterprise Linux 7 onwards running Red Hat Enterprise Linux installations as Xen PV guests is not supported.