* Xen Security Advisory 235 (CVE-2017-15596) - add-to-physmap error paths fail to release lock on ARM
@ 2017-10-18 12:08 Xen.org security team
0 siblings, 0 replies; only message in thread
From: Xen.org security team @ 2017-10-18 12:08 UTC (permalink / raw)
To: xen-announce, xen-devel, xen-users, oss-security; +Cc: Xen.org security team
[-- Attachment #1: Type: text/plain, Size: 2812 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2017-15596 / XSA-235
version 2
add-to-physmap error paths fail to release lock on ARM
UPDATES IN VERSION 2
====================
CVE assigned.
ISSUE DESCRIPTION
=================
When dealing with the grant map space of add-to-physmap operations,
ARM specific code recognizes a number of error conditions, but fails
to release a lock being held on the respective exit paths.
IMPACT
======
A malicious guest administrator can cause a denial of service.
Specifically, prevent use of a physical CPU for an indefinite period
of time.
VULNERABLE SYSTEMS
==================
Xen versions 4.4 and later are vulnerable. Xen versions 4.3 and
earlier are not vulnerable.
Only ARM systems are affected. X86 systems are not affected.
MITIGATION
==========
On systems where the guest kernel is controlled by the host rather than
guest administrator, running only kernels which only issue sane
hypercalls will prevent untrusted guest users from exploiting this
issue. However untrusted guest administrators can still trigger it
unless further steps are taken to prevent them from loading code into
the kernel (e.g by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.
CREDITS
=======
This issue was discovered by Wei Liu of Citrix.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa235.patch xen-unstable
xsa235-4.9.patch Xen 4.9.x, Xen 4.8.x
xsa235-4.7.patch Xen 4.7.x
xsa235-4.6.patch Xen 4.6.x
xsa235-4.5.patch Xen 4.5.x
$ sha256sum xsa235*
6ec8bf9462de65fee3896246f52c00941b2d83c759b3f7b28a440eb977fcbc37 xsa235.meta
c81f534e96fe38b9f77794bb143d104d66ce2d7177bda43f872642616e23df65 xsa235.patch
3c21cb1a53f5979b069568c6cd6df3aad00c19e0e459e37625d6a3c0f4f360cc xsa235-4.5.patch
47cda4f32b65f3543af368c324a2e5b308b698a1c7d8bc84fc274eb2cdb45c0e xsa235-4.6.patch
f30848eee71e66687b421b87be1d8e3f454c0eb395422546c62a689153d1e31c xsa235-4.7.patch
d8f012734fbf6019c1ff864744e308c41dfb9c7804ca3be2771c2c972cdf4bd5 xsa235-4.9.patch
$
NOTE REGARDING LACK OF EMBARGO
==============================
The issue was discussed publicly before being recognized as a security
issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJZ50QUAAoJEIP+FMlX6CvZR0QH/RdlZ9q8CcqWVVF+De8dlKwk
HtgYWWGK/gYgfiwhnYT1fJlW3XZOvbf/fZDUTnuFYL6izJtpcEPuEb3tWM5Nzcs/
u85wyYQmzmDPRCJVuONamWFc0vnSBvb1NqKVqwQEBo3WVbPS5YwIaFgA/z8lZaT9
NV90FLOBjjRyh9ktxqtGQQvt1JcxVxNWLbV974PwFuURMC5kTt2eNvU2vOmgWV5V
gmlBcJyMEzAaZKCmotkt1Tla82ydXG1F+obaLhSVRWp0JFugvVJX9I3cqZk4rovv
HKqLm1bmzloWPo2wvjSnRJIVu9us3MD4VqjxWOwQQq1nrTdDdlMcC6sfn93PaVo=
=R0BH
-----END PGP SIGNATURE-----
[-- Attachment #2: xsa235.meta --]
[-- Type: application/octet-stream, Size: 1585 bytes --]
{
"XSA": 235,
"SupportedVersions": [
"master",
"4.9",
"4.8",
"4.7",
"4.6",
"4.5"
],
"Trees": [
"xen"
],
"Recipes": {
"4.5": {
"XenVersion": "4.5",
"Recipes": {
"xen": {
"StableRef": "3217129eb65c0d4995ed08fb8919e3c334cad548",
"Prereqs": [],
"Patches": [ "xsa235-4.5.patch" ]
}
}
},
"4.6": {
"XenVersion": "4.6",
"Recipes": {
"xen": {
"StableRef": "b4660b4d4a35edac715c003c84326de2b0fa4f47",
"Prereqs": [],
"Patches": [ "xsa235-4.6.patch" ]
}
}
},
"4.7": {
"XenVersion": "4.7",
"Recipes": {
"xen": {
"StableRef": "5151257626155d6e331cc9e66d896c84db1611e1",
"Prereqs": [],
"Patches": [ "xsa235-4.7.patch" ]
}
}
},
"4.8": {
"XenVersion": "4.8",
"Recipes": {
"xen": {
"StableRef": "f5211ce75821e0f2cc55effd28dfbe908226970f",
"Prereqs": [],
"Patches": [ "xsa235-4.9.patch" ]
}
}
},
"4.9": {
"XenVersion": "4.9",
"Recipes": {
"xen": {
"StableRef": "9bf14bbf990843bfec16a5d69d36cf46c7593d88",
"Prereqs": [],
"Patches": [ "xsa235-4.9.patch" ]
}
}
},
"master": {
"XenVersion": "master",
"Recipes": {
"xen": {
"StableRef": "9053a74c08fd6abf43bb45ff932b4386de7e8510",
"Prereqs": [],
"Patches": [ "xsa235.patch" ]
}
}
}
}
}
[-- Attachment #3: xsa235.patch --]
[-- Type: application/octet-stream, Size: 1508 bytes --]
From: Jan Beulich <jbeulich@suse.com>
Subject: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths
Commit 55021ff9ab ("xen/arm: add_to_physmap_one: Avoid to map mfn 0 if
an error occurs") introduced error paths not releasing the grant table
lock. Replace them by a suitable check after the lock was dropped.
This is XSA-235.
Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -1240,8 +1240,6 @@ int xenmem_add_to_physmap_one(
idx &= ~XENMAPIDX_grant_table_status;
if ( idx < nr_status_frames(d->grant_table) )
mfn = virt_to_mfn(d->grant_table->status[idx]);
- else
- return -EINVAL;
}
else
{
@@ -1251,15 +1249,20 @@ int xenmem_add_to_physmap_one(
if ( idx < nr_grant_frames(d->grant_table) )
mfn = virt_to_mfn(d->grant_table->shared_raw[idx]);
- else
- return -EINVAL;
}
- d->arch.grant_table_gfn[idx] = gfn;
+ if ( !mfn_eq(mfn, INVALID_MFN) )
+ {
+ d->arch.grant_table_gfn[idx] = gfn;
- t = p2m_ram_rw;
+ t = p2m_ram_rw;
+ }
grant_write_unlock(d->grant_table);
+
+ if ( mfn_eq(mfn, INVALID_MFN) )
+ return -EINVAL;
+
break;
case XENMAPSPACE_shared_info:
if ( idx != 0 )
[-- Attachment #4: xsa235-4.5.patch --]
[-- Type: application/octet-stream, Size: 1526 bytes --]
From: Jan Beulich <jbeulich@suse.com>
Subject: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths
Commit 55021ff9ab ("xen/arm: add_to_physmap_one: Avoid to map mfn 0 if
an error occurs") introduced error paths not releasing the grant table
lock. Replace them by a suitable check after the lock was dropped.
This is XSA-235.
Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -1052,7 +1052,7 @@ int xenmem_add_to_physmap_one(
if ( idx < nr_status_frames(d->grant_table) )
mfn = virt_to_mfn(d->grant_table->status[idx]);
else
- return -EINVAL;
+ mfn = INVALID_MFN;
}
else
{
@@ -1063,14 +1063,21 @@ int xenmem_add_to_physmap_one(
if ( idx < nr_grant_frames(d->grant_table) )
mfn = virt_to_mfn(d->grant_table->shared_raw[idx]);
else
- return -EINVAL;
+ mfn = INVALID_MFN;
}
- d->arch.grant_table_gpfn[idx] = gpfn;
+ if ( mfn != INVALID_MFN )
+ {
+ d->arch.grant_table_gpfn[idx] = gpfn;
- t = p2m_ram_rw;
+ t = p2m_ram_rw;
+ }
spin_unlock(&d->grant_table->lock);
+
+ if ( mfn == INVALID_MFN )
+ return -EINVAL;
+
break;
case XENMAPSPACE_shared_info:
if ( idx != 0 )
[-- Attachment #5: xsa235-4.6.patch --]
[-- Type: application/octet-stream, Size: 1527 bytes --]
From: Jan Beulich <jbeulich@suse.com>
Subject: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths
Commit 55021ff9ab ("xen/arm: add_to_physmap_one: Avoid to map mfn 0 if
an error occurs") introduced error paths not releasing the grant table
lock. Replace them by a suitable check after the lock was dropped.
This is XSA-235.
Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -1073,7 +1073,7 @@ int xenmem_add_to_physmap_one(
if ( idx < nr_status_frames(d->grant_table) )
mfn = virt_to_mfn(d->grant_table->status[idx]);
else
- return -EINVAL;
+ mfn = INVALID_MFN;
}
else
{
@@ -1084,14 +1084,21 @@ int xenmem_add_to_physmap_one(
if ( idx < nr_grant_frames(d->grant_table) )
mfn = virt_to_mfn(d->grant_table->shared_raw[idx]);
else
- return -EINVAL;
+ mfn = INVALID_MFN;
}
- d->arch.grant_table_gpfn[idx] = gpfn;
+ if ( mfn != INVALID_MFN )
+ {
+ d->arch.grant_table_gpfn[idx] = gpfn;
- t = p2m_ram_rw;
+ t = p2m_ram_rw;
+ }
write_unlock(&d->grant_table->lock);
+
+ if ( mfn == INVALID_MFN )
+ return -EINVAL;
+
break;
case XENMAPSPACE_shared_info:
if ( idx != 0 )
[-- Attachment #6: xsa235-4.7.patch --]
[-- Type: application/octet-stream, Size: 1526 bytes --]
From: Jan Beulich <jbeulich@suse.com>
Subject: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths
Commit 55021ff9ab ("xen/arm: add_to_physmap_one: Avoid to map mfn 0 if
an error occurs") introduced error paths not releasing the grant table
lock. Replace them by a suitable check after the lock was dropped.
This is XSA-235.
Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -1081,7 +1081,7 @@ int xenmem_add_to_physmap_one(
if ( idx < nr_status_frames(d->grant_table) )
mfn = virt_to_mfn(d->grant_table->status[idx]);
else
- return -EINVAL;
+ mfn = INVALID_MFN;
}
else
{
@@ -1092,14 +1092,21 @@ int xenmem_add_to_physmap_one(
if ( idx < nr_grant_frames(d->grant_table) )
mfn = virt_to_mfn(d->grant_table->shared_raw[idx]);
else
- return -EINVAL;
+ mfn = INVALID_MFN;
}
- d->arch.grant_table_gpfn[idx] = gpfn;
+ if ( mfn != INVALID_MFN )
+ {
+ d->arch.grant_table_gpfn[idx] = gpfn;
- t = p2m_ram_rw;
+ t = p2m_ram_rw;
+ }
grant_write_unlock(d->grant_table);
+
+ if ( mfn == INVALID_MFN )
+ return -EINVAL;
+
break;
case XENMAPSPACE_shared_info:
if ( idx != 0 )
[-- Attachment #7: xsa235-4.9.patch --]
[-- Type: application/octet-stream, Size: 1542 bytes --]
From: Jan Beulich <jbeulich@suse.com>
Subject: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths
Commit 55021ff9ab ("xen/arm: add_to_physmap_one: Avoid to map mfn 0 if
an error occurs") introduced error paths not releasing the grant table
lock. Replace them by a suitable check after the lock was dropped.
This is XSA-235.
Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -1164,7 +1164,7 @@ int xenmem_add_to_physmap_one(
if ( idx < nr_status_frames(d->grant_table) )
mfn = virt_to_mfn(d->grant_table->status[idx]);
else
- return -EINVAL;
+ mfn = mfn_x(INVALID_MFN);
}
else
{
@@ -1175,14 +1175,21 @@ int xenmem_add_to_physmap_one(
if ( idx < nr_grant_frames(d->grant_table) )
mfn = virt_to_mfn(d->grant_table->shared_raw[idx]);
else
- return -EINVAL;
+ mfn = mfn_x(INVALID_MFN);
}
- d->arch.grant_table_gfn[idx] = gfn;
+ if ( mfn != mfn_x(INVALID_MFN) )
+ {
+ d->arch.grant_table_gfn[idx] = gfn;
- t = p2m_ram_rw;
+ t = p2m_ram_rw;
+ }
grant_write_unlock(d->grant_table);
+
+ if ( mfn == mfn_x(INVALID_MFN) )
+ return -EINVAL;
+
break;
case XENMAPSPACE_shared_info:
if ( idx != 0 )
[-- Attachment #8: Type: text/plain, Size: 127 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-10-18 12:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-18 12:08 Xen Security Advisory 235 (CVE-2017-15596) - add-to-physmap error paths fail to release lock on ARM Xen.org security team
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).