Bug 1304627 (CVE-2016-2270, xsa154) - CVE-2016-2270 xsa154 xen: inconsistent cachability flags on guest mappings (XSA-154)
Summary: CVE-2016-2270 xsa154 xen: inconsistent cachability flags on guest mappings (X...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-2270, xsa154
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1309324
Blocks: 1304631
TreeView+ depends on / blocked
 
Reported: 2016-02-04 08:51 UTC by Martin Prpič
Modified: 2019-09-29 13:43 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-26 12:28:40 UTC


Attachments (Terms of Use)

Description Martin Prpič 2016-02-04 08:51:40 UTC
ISSUE DESCRIPTION
=================

Multiple mappings of the same physical page with different cachability setting can cause problems. While one category (risk of using stale data) affects only guests themselves (and hence avoiding this can be left for them to control), the other category being Machine Check exceptions can be fatal to entire hosts. According to the information we were able to gather, only mappings of MMIO pages may surface this second category, but even for them there were cases where the hypervisor did not properly enforce consistent cachability.

IMPACT
======

A malicious guest administrator might be able to cause a reboot, denying service to the entire host.

VULNERABLE SYSTEMS
==================

Only x86 guests given control over some physical device can trigger this vulnerability. ARM systems are not vulnerable.

The vulnerability depends on the system response to mapping the same memory with different cacheability. On some systems this is harmless; on others, depending on CPU and chipset, it may be fatal.

MITIGATION
==========

Not handing physical devices to guests will also avoid this issue.


External References:

http://xenbits.xen.org/xsa/advisory-154.html

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue.

Comment 1 Andrej Nemec 2016-02-17 13:24:42 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1309324]

Comment 2 Andrej Nemec 2016-02-17 13:24:55 UTC
Public via:

http://seclists.org/oss-sec/2016/q1/356

Comment 3 Fedora Update System 2016-02-26 19:23:31 UTC
xen-4.5.2-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2016-03-06 23:18:33 UTC
xen-4.5.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.