Bug 1652227 (CVE-2018-19964, XSA-277)

Summary: CVE-2018-19964 xsa277 xen: x86: incorrect error handling for guest p2m page removals (XSA-277)
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, drjones, imammedo, jforbes, knoel, m.a.young, mrezanin, pbonzini, rkrcmar, robinlee.sysu, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:43:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1652251    
Bug Blocks:    

Description Pedro Sampaio 2018-11-21 17:46:14 UTC 
ISSUE DESCRIPTION
=================

The internal function querying a domain's p2m table grabs the p2m lock
by default, so that the answer to the query remains true until the
caller can act on that information; it is up to the caller then to
release the lock.  Unfortunately, certain failure paths don't release
the lock.

IMPACT
======

A malicious or buggy guest may cause a deadlock, resulting in a DoS
(Denial of Service) affecting the entire host.

VULNERABLE SYSTEMS
==================

Xen 4.11 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only systems running untrusted HVM or PVH guests are vulnerable.
Systems running only PV guests are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

References:

https://xenbits.xen.org/xsa/advisory-277.html
Comment 1 Pedro Sampaio 2018-11-21 17:46:28 UTC 
Acknowledgments:

Name: the Xen project
Upstream: Paul Durrant (Citrix)
Comment 2 Pedro Sampaio 2018-11-21 18:11:33 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1652251]