1458878 – (CVE-2017-10920, CVE-2017-10921, CVE-2017-10922, xsa224) CVE-2017-10920 CVE-2017-10921 CVE-2017-10922 xsa224 xen: grant table operations mishandle reference counts (XSA-224)

Bug 1458878 (CVE-2017-10920, CVE-2017-10921, CVE-2017-10922, xsa224) - CVE-2017-10920 CVE-2017-10921 CVE-2017-10922 xsa224 xen: grant table operations mishandle reference counts (XSA-224)

Summary: CVE-2017-10920 CVE-2017-10921 CVE-2017-10922 xsa224 xen: grant table operatio...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2017-10920, CVE-2017-10921, CVE-2017-10922, xsa224
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1463247
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-05 17:43 UTC by Adam Mariš
Modified:	2021-02-17 02:04 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-24 09:22:03 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2017-06-05 17:43:35 UTC

ISSUE DESCRIPTION
=================

We have discovered a number of bugs in the code mapping and unmapping
grant references.

* If a grant is mapped with both the GNTMAP_device_map and
GNTMAP_host_map flags, but unmapped only with host_map, the device_map
portion remains but the page reference counts are lowered as though it
had been removed. This bug can be leveraged cause a page's reference
counts and type counts to fall to zero while retaining writeable
mappings to the page.

* Under some specific conditions, if a grant is mapped with both the
GNTMAP_device_map and GNTMAP_host_map flags, the operation may not
grab sufficient type counts.  When the grant is then unmapped, the
type count will be erroneously reduced.  This bug can be leveraged
cause a page's reference counts and type counts to fall to zero while
retaining writeable mappings to the page.

* When a grant reference is given to an MMIO region (as opposed to a
normal guest page), if the grant is mapped with only the
GNTMAP_device_map flag set, a mapping is created at host_addr anyway.
This does *not* cause reference counts to change, but there will be no
record of this mapping, so it will not be considered when reporting
whether the grant is still in use.

IMPACT
======

For the worst issue, a PV guest could gain a writeable mapping of its
own pagetable, allowing it to escalate its privileges to that of the
host.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only x86 systems are vulnerable.

Any system running untrusted PV guests is vulnerable.

Systems with untrusted HVM guests are only vulnerable if those guests
are served by a trusted PV backend which is vulnerable: Namely, one
which calls grant_map() with both the GNTMAP_device_map and
GNTMAP_host_map flags.  The security team is not aware of any backends
which are vulnerable.

Mitigation:

Running only HVM guests will avoid this vulnerability.

External References:

http://xenbits.xen.org/xsa/advisory-224.html

Acknowledgements:

Name: the Xen project
Upstream: Jan Beulich (SUSE)

Comment 1 Adam Mariš 2017-06-20 12:36:46 UTC

Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1463247]

Note You need to log in before you can comment on or make changes to this bug.