Bug 1486710 (CVE-2017-14319, xsa234) - CVE-2017-14319 xsa234 xen: insufficient grant unmapping checks for x86 PV guests (XSA-234)
Summary: CVE-2017-14319 xsa234 xen: insufficient grant unmapping checks for x86 PV gue...
Status: NEW
Alias: CVE-2017-14319, xsa234
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20170912,repo...
Keywords: Security
Depends On: 1490884
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-30 11:56 UTC by Adam Mariš
Modified: 2017-09-12 12:24 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Adam Mariš 2017-08-30 11:56:00 UTC
ISSUE DESCRIPTION
=================

When removing or replacing a grant mapping, the x86 PV specific path
needs to make sure page table entries remain in sync with other
accounting done.  Although the identity of the page frame was
validated correctly, neither the presence of the mapping nor page
writability were taken into account.

IMPACT
======

A malicious or buggy x86 PV guest could escalate its privileges or
crash the hypervisor.

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

Only x86 PV guests can leverage the vulnerability.  x86 HVM guests as
well as ARM guests cannot leverage the vulnerability.

MITIGATION
==========

Running only HVM guests will avoid this vulnerability.  However, the
vulnerability is exposed to PV stub qemu serving as the device model
for HVM guests.  Our default assumption is that an HVM guest has
compromised its PV stub qemu.  By extension, it is likely that the
vulnerability is exposed to HVM guests which are served by a PV stub
qemu.

For PV guests, the vulnerability can be avoided if the guest kernel is
controlled by the host rather than guest administrator, provided that
further steps are taken to prevent the guest administrator from loading
code into the kernel (e.g. by disabling loadable modules etc) or from
using other mechanisms which allow them to run code at kernel privilege.

External References:

http://xenbits.xen.org/xsa/advisory-234.html

Comment 1 Adam Mariš 2017-09-12 12:21:35 UTC
Acknowledgments:

Name: Andrew Cooper (Citrix)

Comment 2 Adam Mariš 2017-09-12 12:24:05 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1490884]


Note You need to log in before you can comment on or make changes to this bug.