Bug 1685568 - xen: xsa284: grant table transfer issues on large hosts
Summary: xen: xsa284: grant table transfer issues on large hosts
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1685577
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-05 14:13 UTC by Andrej Nemec
Modified: 2019-09-29 15:08 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:49:58 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2019-03-05 14:13:32 UTC 
When the code processing grant table transfer requests finds a page with
an address too large to be represented in the interface with the guest,
it allocates a replacement page and copies page contents.  However, the
code doing so fails to set the newly allocated page's accounting
properties correctly, resulting in the page becoming not only unusable
by the target domain, but also unfreeable upon domain cleanup.  The page
as well as certain other remnants of an affected guest will be leaked.

Furthermore internal state of the processing code was also not updated
correctly, resulting in the insertion of an IOMMU mapping to the page
being replaced (and subsequently freed), allowing the domain access to
memory it does not own.

The primary impact is a memory leak.  Malicious or buggy guests with
passed through PCI devices may also be able to escalate their
privileges, crash the host, or access data belonging to other guests.

References:

https://seclists.org/oss-sec/2019/q1/157
Comment 1 Andrej Nemec 2019-03-05 14:26:35 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1685577]
Note You need to log in before you can comment on or make changes to this bug.