1513335 – (CVE-2017-17044, xsa246) CVE-2017-17044 xsa246 xen: x86: infinite loop due to missing PoD error checking (XSA-246)

Bug 1513335 (CVE-2017-17044, xsa246) - CVE-2017-17044 xsa246 xen: x86: infinite loop due to missing PoD error checking (XSA-246)

Summary: CVE-2017-17044 xsa246 xen: x86: infinite loop due to missing PoD error checki...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2017-17044, xsa246
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1518214
Blocks:
TreeView+	depends on / blocked

Reported:	2017-11-15 08:45 UTC by Adam Mariš
Modified:	2021-02-17 01:14 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-28 12:43:07 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2017-11-15 08:45:37 UTC

ISSUE DESCRIPTION
=================

Failure to recognize errors being returned from low level functions in
Populate on Demand (PoD) code may result in higher level code entering
an infinite loop.

IMPACT
======

A malicious HVM guest can cause one pcpu to permanently hang.  This
normally cascades into the whole system freezing, resulting in a a
host Denial of Service (DoS).

VULNERABLE SYSTEMS
==================

Xen versions from 3.4.x onwards are affected.

Only x86 systems are vulnerable.  ARM is not vulnerable.

x86 PV VMs cannot leverage the vulnerability.

Only systems with 2MiB or 1GiB HAP pages enabled are vulnerable.

The vulnerability is largely restricted to HVM guests which have been
constructed in Populate-on-Demand mode (i.e. with memory < maxmem):

x86 HVM domains without PoD (i.e. started with memory == maxmem, or
without mentioning "maxmem" in the guest config file) also cannot
leverage the vulnerability, in recent enough Xen versions:
4.8.x and later: all versions safe if PoD not configured
4.7.x: 4.7.1 and later safe if PoD not configured
4.6.x: 4.6.4 and later safe if PoD not configured
4.5.x: 4.5.4 and later safe if PoD not configured
4.4.x and earlier: all versions vulnerable even if PoD not configured

The commit required to prevent this vulnerability when PoD
not configured is 2a99aa99fc84a45f505f84802af56b006d14c52e
xen/physmap: Do not permit a guest to populate PoD pages for itself
and the corresponding backports.

MITIGATION
==========

Running only PV guests will avoid this issue.

Running HVM guests only in non-PoD mode (maxmem == memory) will also
avoid this issue.  NOTE: In older releases of Xen, an HVM guest can
create PoD entries itself; so this mitigation will not be effective.

Specifying "hap_1gb=0 hap_2mb=0" on the hypervisor command line will
avoid the vulnerability.

Alternatively, running all x86 HVM guests in shadow mode will also
avoid this vulnerability.  (For example, by specifying "hap=0" in the
xl domain configuration file.)

External References:

http://xenbits.xen.org/xsa/advisory-246.html

Comment 1 Adam Mariš 2017-11-15 08:45:40 UTC

Acknowledgments:

Name: the Xen project
Upstream: Julien Grall (Linaro)

Comment 2 Adam Mariš 2017-11-28 12:42:12 UTC

Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1518214]

Note You need to log in before you can comment on or make changes to this bug.