Bug 1499820 (CVE-2017-15595, xsa240) - CVE-2017-15595 xsa240 xen: Unlimited recursion in linear pagetable de-typing (XSA-240)
Summary: CVE-2017-15595 xsa240 xen: Unlimited recursion in linear pagetable de-typing ...
Alias: CVE-2017-15595, xsa240
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1501391
TreeView+ depends on / blocked
Reported: 2017-10-09 12:51 UTC by Adam Mariš
Modified: 2021-02-17 01:26 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-08 03:27:11 UTC

Attachments (Terms of Use)

Description Adam Mariš 2017-10-09 12:51:30 UTC

x86 PV guests are permitted to set up certain forms of what is often
called "linear page tables", where pagetables contain references to
other pagetables at the same level or higher.  Certain restrictions
apply in order to fit into Xen's page type handling system.  An
important restriction was missed, however: Stacking multiple layers
of page tables of the same level on top of one another is not very
useful, and the tearing down of such an arrangement involves
recursion.  With sufficiently many layers such recursion will result
in a stack overflow, commonly resulting in Xen to crash.


A malicious or buggy PV guest may cause the hypervisor to crash,
resulting in Denial of Service (DoS) affecting the entire host.
Privilege escalation and information leaks cannot be excluded.


All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been checked.

Only x86 systems are affected.  ARM systems are not affected.

Only x86 PV guests can leverage the vulnerability.  x86 HVM guests
cannot leverage the vulnerability.


Running only HVM guests will avoid this vulnerability.

For PV guests, the vulnerability can be avoided if the guest kernel is
controlled by the host rather than guest administrator, provided that
further steps are taken to prevent the guest administrator from loading
code into the kernel (e.g. by disabling loadable modules etc) or from
using other mechanisms which allow them to run code at kernel privilege.

External References:


Comment 1 Adam Mariš 2017-10-12 13:42:34 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1501391]

Comment 2 Adam Mariš 2017-10-18 15:06:25 UTC

Name: the Xen project
Upstream: Jann Horn (Google)

Note You need to log in before you can comment on or make changes to this bug.