Bug 2002785 (CVE-2021-28701) - CVE-2021-28701 xen: another race in XENMAPSPACE_grant_table handling
Summary: CVE-2021-28701 xen: another race in XENMAPSPACE_grant_table handling
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2021-28701
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2002786
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-09 17:59 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-09-09 18:21 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-09 18:21:15 UTC


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-09-09 17:59:56 UTC
Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed.

References:
https://xenbits.xenproject.org/xsa/advisory-384.txt
http://www.openwall.com/lists/oss-security/2021/09/08/2

Comment 1 Guilherme de Almeida Suckevicz 2021-09-09 18:00:12 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 2002786]

Comment 2 Product Security DevOps Team 2021-09-09 18:21:15 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.