Bug 1685570 (CVE-2019-17345)

Summary: CVE-2019-17345 xen: xsa291: x86/PV: page type reference counting issue with failed IOMMU update
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, drjones, imammedo, jforbes, knoel, m.a.young, mrezanin, pbonzini, rkrcmar, robinlee.sysu, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:49:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1685577    
Bug Blocks:    

Description Andrej Nemec 2019-03-05 14:19:12 UTC 
When an x86 PV domain has a passed-through PCI device assigned, IOMMU
mappings may need to be updated when the type of a particular page
changes.  Such an IOMMU operation may fail.  In the event of failure,
while at present the affected guest would be forcibly crashed, the
already recorded additional type reference was not dropped again.  This
causes a bug check to trigger while cleaning up after the crashed
guest.

Malicious or buggy x86 PV guest kernels can mount a Denial of Service
(DoS) attack affecting the whole system.

References:

https://seclists.org/oss-sec/2019/q1/159
Comment 1 Andrej Nemec 2019-03-05 14:26:24 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1685577]