Bug 1823942 (CVE-2020-11742)

Summary: CVE-2020-11742 xen: bad continuation handling in GNTTABOP_copy (XSA-318)
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, ailan, bhu, brdeoliv, darunesh, dhoward, drjones, dvlasenk, fhrbata, hkrzesin, imammedo, jforbes, jshortt, jstancek, knoel, m.a.young, mrezanin, nmurray, pbonzini, robinlee.sysu, rvrbovsk, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-16 15:44:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1823943    
Bug Blocks: 1823363, 1823944    

Description Guilherme de Almeida Suckevicz 2020-04-14 20:16:55 UTC 
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of bad continuation handling in GNTTABOP_copy. Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 introduced a path through grant copy handling where success may be returned to the caller without any action taken. In particular, the status fields of individual operations are left uninitialised, and may result in errant behaviour in the caller of GNTTABOP_copy. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to copy a grant, it hits the incorrect exit path. This returns success to the caller without doing anything, which may cause crashes or other incorrect behaviour.

Reference:
https://xenbits.xen.org/xsa/advisory-318.html
Comment 1 Guilherme de Almeida Suckevicz 2020-04-14 20:17:12 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1823943]
Comment 2 Petr Matousek 2021-09-29 12:05:16 UTC 
*** Bug 1823361 has been marked as a duplicate of this bug. ***