Bug 1458872 (CVE-2017-10913, CVE-2017-10914, xsa218) - CVE-2017-10913 CVE-2017-10914 xsa218 xen: Races in the grant table unmap code (XSA-218)
Summary: CVE-2017-10913 CVE-2017-10914 xsa218 xen: Races in the grant table unmap code...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-10913, CVE-2017-10914, xsa218
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1463247
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-05 17:43 UTC by Adam Mariš
Modified: 2019-09-29 14:14 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 03:14:30 UTC


Attachments (Terms of Use)

Description Adam Mariš 2017-06-05 17:43:01 UTC
ISSUE DESCRIPTION
=================

We have discovered two bugs in the code unmapping grant references.

* When a grant had been mapped twice by a backend domain, and then
unmapped by two concurrent unmap calls, the frontend may be informed
that the page had no further mappings when the first call completed rather
than when the second call completed.

* A race triggerable by an unprivileged guest could cause a grant
maptrack entry for grants to be "freed" twice.  The ultimate effect of
this would be for maptrack entries for a single domain to be re-used.

IMPACT
======

For the first issue, for a short window of time, a malicious backend
could still read and write memory that the frontend thought was its
own again.  Depending on the usage, this could be either an
information leak, or a backend-to-frontend privilege escalation.

The second issue is more difficult to analyze. It can probably cause
reference counts to leak, preventing memory from being freed on domain
destruction (denial-of-service), but information leakage or host
privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Both ARM and x86 are vulnerable.

On x86, systems with either PV or HVM guests are vulnerable.

MITIGATION
==========

None.

External References:

http://xenbits.xen.org/xsa/advisory-218.html

Acknowledgements:

Name: the Xen project
Upstream: Jann Horn (Google)

Comment 1 Adam Mariš 2017-06-20 12:35:11 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1463247]


Note You need to log in before you can comment on or make changes to this bug.