Bug 1477657 (CVE-2017-12137, xsa227) - CVE-2017-12137 xsa227 xen: x86: PV privilege escalation via map_grant_ref (XSA-227)
Summary: CVE-2017-12137 xsa227 xen: x86: PV privilege escalation via map_grant_ref (XS...
Status: CLOSED WONTFIX
Alias: CVE-2017-12137, xsa227
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20170815,repo...
Keywords: Security
Depends On: 1481765
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-02 14:43 UTC by Adam Mariš
Modified: 2017-08-24 09:23 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-24 09:23:20 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Adam Mariš 2017-08-02 14:43:18 UTC
ISSUE DESCRIPTION
=================

When mapping a grant reference, a guest must inform Xen of where it
would like the grant mapped.  For PV guests, this is done by nominating
an existing linear address, or an L1 pagetable entry, to be altered.

Neither of these PV paths check for alignment of the passed parameter.
The linear address path suitably truncates the linear address when
calculating the L1 entry to use, but the path which uses a directly
nominated L1 entry performs no checks.

This causes Xen to make an incorrectly-aligned update to a pagetable,
which corrupts both the intended entry and the subsequent entry with
values which are largely guest controlled.  If the misaligned value
crosses a page boundary, then an arbitrary other heap page is
corrupted.

IMPACT
======

A PV guest can elevate its privilege to that of the host.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only x86 systems are vulnerable.

Any system running untrusted PV guests is vulnerable.

The vulnerability is exposed to PV stub qemu serving as the device model
for HVM guests.  Our default assumption is that an HVM guest has
compromised its PV stub qemu.  By extension, it is likely that the
vulnerability is exposed to HVM guests which are served by a PV stub
qemu.

MITIGATION
==========

Running only HVM guests, served by a dom0-based qemu, will avoid this
vulnerability.

External References:

http://xenbits.xen.org/xsa/advisory-227.html

Comment 2 Adam Mariš 2017-08-15 12:31:48 UTC
Acknowledgments:

Name: the Xen project
Upstream: Andrew Cooper (Citrix)

Comment 3 Adam Mariš 2017-08-15 16:15:23 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1481765]


Note You need to log in before you can comment on or make changes to this bug.