Headline
CVE-2019-17342: 287 - Xen Security Advisories
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a race condition that arose when XENMEM_exchange was introduced.
Information
Advisory
XSA-287
Public release
2019-03-05 12:00
Updated
2019-10-25 11:09
Version
3
CVE(s)
CVE-2019-17342
Title
x86: steal_page violates page_struct access discipline
Filesadvisory-287.txt (signed advisory file)
xsa287.meta
xsa287.patch
xsa287-4.7.patch
xsa287-4.8.patch
xsa287-4.9.patch
xsa287-4.10.patch
xsa287-4.11.patchAdvisory
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Xen Security Advisory CVE-2019-17342 / XSA-287
version 3
x86: steal\_page violates page\_struct access discipline
UPDATES IN VERSION 3
CVE assigned.
ISSUE DESCRIPTION
Xen’s reference counting rules were designed to allow pages to change owner and state without requiring a global lock. Each page has a page structure, and a very specific set of access disciplines must be observed to ensure that pages are freed properly, and that no writable mappings exist for PV pagetable pages.
Unfortunately, when the XENMEM_exchange hypercall was introduced, these access disciplines were violated, opening up several potential race conditions.
IMPACT
A single PV guest can leak arbitrary amounts of memory, leading to a denial of service.
A cooperating pair of PV and HVM/PVH guests can get a writable pagetable entry, leading to information disclosure or privilege escalation.
Privilege escalation attacks using only a single PV guest or a pair of PV guests have not been ruled out.
Note that both of these attacks require very precise timing, which may be difficult to exploit in practice.
VULNERABLE SYSTEMS
Only x86 systems are vulnerable.
Only systems which run PV guests are vulnerable. Systems which run only HVM/PVH guests are not vulnerable.
MITIGATION
Running only HVM or PVH guests will avoid these vulnerabilities.
CREDITS
This issue was discovered by Jan Beulich of SUSE.
RESOLUTION
Applying the appropriate attached patch resolves this issue.
xsa287.patch xen-unstable xsa287-4.11.patch Xen 4.11.x xsa287-4.10.patch Xen 4.10.x xsa287-4.9.patch Xen 4.9.x xsa287-4.8.patch Xen 4.8.x xsa287-4.7.patch Xen 4.7.x
$ sha256sum xsa287* ae2b9261e26df871693478629c63970ba30817ee1dcb2266b89d8b067833c1b3 xsa287.meta 7de1b886d69dd7c497f88d41adf9a6f7cf9a305fd8ae9d714e1125e2a22208ab xsa287.patch 55f40f2f9bb41c85ac80dac775352e28b25fada80dae574e9d10300d5e2b91ce xsa287-4.7.patch 57312ff131eb6b51235723e862adf42ad3529ed13135375875c054fa0b55f80b xsa287-4.8.patch 34f4b835766a38bcf4066ccbab74676eda176e15ed2a6bd7884678a64507f89a xsa287-4.9.patch c7eaf8a325011dda84b02ee097ddbc7b5f2f4d3399de545a3a7b14e2d23f4278 xsa287-4.10.patch 6793315f714a249a4fad12b36559640b2f97f19f5b85f0d58694c6e78aa3d567 xsa287-4.11.patch $
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators.
But: Distribution of updated software is prohibited (except to other members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team.
(Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.)
For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2y18cMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZMbcIAKcMpCX29ANW9/W2cnGremzicicGAQW9KvmZVK5e weLBItv9pTqIGeVm71/X2dXt5KeRryh+Py53zYtUhy4pFQXQAezEzlRs+Y4TtX3l +XVsfDFqks+bfyduBKMerwJpqr2Hd3DOdvir8iSqH2jHLLd5JqTYho+m0L0HPD9J Smn43rwurMChSjSFR4H+TnrOcX/1iUWgj3BVUkswGn3CrUdBJFe5mp6QeoYlyiL1 CN6rmx5+CWLvBTwMkEiA8/3GX322qv4f2P0woOnaFW+aNgj1VRcyB2l1V0ParYYw 0Yfj32XNIhdzNfUanenRAUNnTYSzVFFdbTMgV2sgwZjXNgE= =7jA5 -----END PGP SIGNATURE-----
Xenproject.org Security Team