Bug 1902766 (CVE-2020-29040)

Summary: CVE-2020-29040 xen: stack corruption from XSA-346 change (XSA-355)
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, ailan, bhu, bmasney, brdeoliv, darunesh, dhoward, drjones, dvlasenk, fhrbata, hkrzesin, imammedo, jforbes, jshortt, jstancek, knoel, m.a.young, mrezanin, nmurray, pbonzini, ptalbert, robinlee.sysu, rvrbovsk, vkuznets, walters, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An off-by-one flaw was found in one of the two patches for CVE-2020-27671 (XSA-346). This flaw allows malicious x86 HVM and PVH guests to cause host data corruption and data leaks, resulting in a denial of service or potential privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-30 17:34:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1902769    
Bug Blocks: 1901108    

Description Mauro Matteo Cascella 2020-11-30 15:38:21 UTC 
One of the two changes for XSA-346 introduced an on-stack array. The check for guarding against overrunning this array was off by one, allowing for corruption of the first stack slot immediately following this array.

Upstream fix:
https://xenbits.xen.org/xsa/xsa355.patch
Comment 1 Mauro Matteo Cascella 2020-11-30 15:38:29 UTC 
Acknowledgments:

Name: the Xen project
Comment 2 Mauro Matteo Cascella 2020-11-30 15:40:18 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1902769]
Comment 3 Mauro Matteo Cascella 2020-11-30 15:41:03 UTC 
External References:

https://xenbits.xen.org/xsa/advisory-355.html
Comment 4 Mauro Matteo Cascella 2020-11-30 15:41:49 UTC 
Mitigation:

Avoid passing through physical devices to untrusted guests.
Comment 5 Mauro Matteo Cascella 2020-12-03 08:41:30 UTC 
*** Bug 1903746 has been marked as a duplicate of this bug. ***