==================================================================== CERT-Renater Note d'Information No. 2020/VULN186 _____________________________________________________________________ DATE : 14/04/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Xen. ===================================================================== https://xenbits.xen.org/xsa/advisory-316.html https://xenbits.xen.org/xsa/advisory-318.html _____________________________________________________________________ Xen Security Advisory CVE-2020-11743 / XSA-316 version 3 Bad error path in GNTTABOP_map_grant UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Grant table operations are expected to return 0 for success, and a negative number for errors. Some misplaced brackets cause one error path to return 1 instead of a negative value. The grant table code in Linux treats this condition as success, and proceeds with incorrectly initialised state. IMPACT ====== A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to map a grant, it hits the incorrect error path. This will crash a Linux based dom0 or backend domain. VULNERABLE SYSTEMS ================== Systems running any version of Xen with the XSA-295 fixes are vulnerable. Systems which have not yet taken the XSA-295 fixes are not vulnerable. Systems running a Linux based dom0 or driver domain are vulnerable. Systems running a FreeBSD or NetBSD based dom0 or driver domain are not impacted, as they both treat any nonzero value as a failure. The vulnerability of other systems will depend on how they behave when getting an unexpected positive number from the GNTTABOP_map_grant hypercall. MITIGATION ========== Applying the Linux patches alone is sufficient to mitigate the issue. This might be a preferred route for downstreams who support livepatching Linux but not Xen. CREDITS ======= This issue was discovered by Ross Lagerwall of Citrix. RESOLUTION ========== Applying the appropriate Xen patch will resolve this issue. Additionally, a Linux patch is provided to make Linux's behaviour more robust to unexpected values. We recommend taking both patches if at all possible. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa316/xsa316-xen.patch Xen 4.9 - xen-unstable xsa316/xsa316-linux.patch Linux $ sha256sum xsa316*/* 7dcd02e8cc0434046747d572bc6c77cd3a2e4041eefd2fa703f4130e998b58dd xsa316/xsa316-linux.patch 4007578e30730861750d8808c0b63f2e03bbb05df909d71de19201084816a8b9 xsa316/xsa316-xen.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html ______________________________________________________________________ Xen Security Advisory CVE-2020-11742 / XSA-318 version 3 Bad continuation handling in GNTTABOP_copy UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 / XSA-226 introduced a path through grant copy handling where success may be returned to the caller without any action taken. In particular the status fields of individual operations are left uninitialised, and may result in errant behaviour in the caller of GNTTABOP_copy. IMPACT ====== A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to copy a grant, it hits the incorrect exit path. This returns success to the caller without doing anything, which may cause in crashes or other incorrect behaviour. VULNERABLE SYSTEMS ================== Systems running any version of Xen are vulnerable. MITIGATION ========== Only guests with access to transitive grants can exploit the vulnerability. In particular, this means that: * ARM systems which have taken the XSA-268 fix are not vulnerable, as Grant Table v2 was disabled for other security reasons. * All systems with the XSA-226 fixes, and booted with `gnttab=max-ver:1` or `gnttab=no-transitive` are not vulnerable. CREDITS ======= This issue was discovered by Pawel Wieczorkiewicz of Amazon and Jürgen Groß of SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa318.patch Xen 4.9 - xen-unstable $ sha256sum xsa318* 4618c2609ab08178977c2b2a3d13f380ccfddd0168caca5ced708dd76a8e547c xsa318.patch $ NOTE CONCERNING SHORT EMBARGO ============================= This issue was discovered in response to the XSA-316 predisclosure. DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. However, deployment of the mitigations is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because it is a guest visible change which will draw attention to the issue. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================