Bug 1399746 (CVE-2016-9815, CVE-2016-9816, CVE-2016-9817, CVE-2016-9818, xsa201) - CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818 xsa201 xen: ARM guests may induce host asynchronous abort (XSA-201)
Summary: CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818 xsa201 xen: ARM guest...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-9815, CVE-2016-9816, CVE-2016-9817, CVE-2016-9818, xsa201
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1399747
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-29 16:02 UTC by Adam Mariš
Modified: 2019-09-29 14:01 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 03:02:50 UTC


Attachments (Terms of Use)

Description Adam Mariš 2016-11-29 16:02:07 UTC
ISSUE DESCRIPTION
=================

Depending on how the hardware and firmware have been integrated,
guest-triggered asynchronous aborts (SError on ARMv8) may be received
by the hypervisor.  The current action is to crash the host.

A guest might trigger an asynchronous abort when accessing memory
mapped hardware in a non-conventional way.  Even if device
pass-through has not been configured, the hypervisor may give the
guest access to memory mapped hardware in order to take advantage of
hardware virtualization.

IMPACT
======

A malicious guest may be able to crash the host.

VULNERABLE SYSTEMS
==================

All Xen versions which support ARM are potentially affected.

Whether a particular ARM systems is affected depends on technical
details of the hardware and/or firmware.

x86 systems are not affected.

MITIGATION
==========

On systems where the guest kernel is controlled by the host rather than
guest administrator, running only kernels which do not expose MMIO to
userspace will prevent untrusted guest users from exploiting this issue.
However untrusted guest administrators can still trigger it unless
further steps are taken to prevent them from loading code into the
kernel (e.g by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.

NOTE REGARDING LACK OF EMBARGO
==============================

The issue was discussed publicly (and has been fixed already in KVM in
public trees).

CREDITS
=======

This issue was discovered by ARM engineering personnel.

External References:

http://xenbits.xen.org/xsa/advisory-201.html

Acknowledgements:

Name: the Xen project
Upstream: ARM engineering personnel

Comment 1 Adam Mariš 2016-11-29 16:02:49 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1399747]

Comment 2 Andrej Nemec 2016-12-06 14:11:20 UTC
CVE assignments:

http://seclists.org/oss-sec/2016/q4/588


Note You need to log in before you can comment on or make changes to this bug.