Bug 1679332 (CVE-2019-17341)

Summary: CVE-2019-17341 xen: xsa285: race with pass-through device hotplug
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, drjones, imammedo, jforbes, knoel, m.a.young, mrezanin, pbonzini, rkrcmar, robinlee.sysu, security-response-team, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:48:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1685577    
Bug Blocks:    

Description Pedro Sampaio 2019-02-20 22:14:49 UTC 
When adding a passed-through PCI device to a domain after it was already
started, IOMMU page tables may need constructing on the fly. For PV
guests the decision whether a page ought to have a mapping is based on
whether the page is writable, to prevent IOMMU access to things like
page tables. Writablility of a page may, however, change at any time.
Failure of the relevant code to respect this possible race may lead
to IOMMU mappings of, in particular, page tables, allowing the guest
to alter such page tables without Xen auditing the changes.
Comment 1 Andrej Nemec 2019-03-05 13:18:36 UTC 
References:

https://seclists.org/oss-sec/2019/q1/158
Comment 2 Andrej Nemec 2019-03-05 14:26:20 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1685577]