Bug 1823942 (CVE-2020-11742) - CVE-2020-11742 xen: bad continuation handling in GNTTABOP_copy (XSA-318)
Summary: CVE-2020-11742 xen: bad continuation handling in GNTTABOP_copy (XSA-318)
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-11742
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1823943
Blocks: 1823944
TreeView+ depends on / blocked
 
Reported: 2020-04-14 20:16 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-08-28 14:16 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-16 15:44:23 UTC


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-04-14 20:16:55 UTC
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of bad continuation handling in GNTTABOP_copy. Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 introduced a path through grant copy handling where success may be returned to the caller without any action taken. In particular, the status fields of individual operations are left uninitialised, and may result in errant behaviour in the caller of GNTTABOP_copy. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to copy a grant, it hits the incorrect exit path. This returns success to the caller without doing anything, which may cause crashes or other incorrect behaviour.

Reference:
https://xenbits.xen.org/xsa/advisory-318.html

Comment 1 Guilherme de Almeida Suckevicz 2020-04-14 20:17:12 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1823943]


Note You need to log in before you can comment on or make changes to this bug.