-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-15597 / XSA-236 version 3 pin count / page reference race in grant table code UPDATES IN VERSION 3 ==================== We now once again think that only Xen 4.2 and newer are vulnerable. Fix grammar typo. Public release. ISSUE DESCRIPTION ================= Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. IMPACT ====== A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out. VULNERABLE SYSTEMS ================== Xen versions from 4.2 onwards are vulnerable. Xen versions 4.1 and earlier are not vulnerable. Both x86 and ARM are vulnerable, and on x86 both PV and HVM guests can trigger the vulnerability. MITIGATION ========== Running only guests without para-virtual drivers, and known not to issue grant table operations can avoid the vulnerability. CREDITS ======= This issue was discovered by Pawel Wieczorkiewicz of Amazon. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa236.patch xen-unstable xsa236-4.9.patch Xen 4.9.x, Xen 4.8.x, Xen 4.7.x, Xen 4.6.x xsa236-4.5.patch Xen 4.5.x $ sha256sum xsa236* 2f7736c43b6da7d983cf3edbc10024c4cba9d6d3e5b2b758a07de726a804617d xsa236.meta f06f01fb4ffcfc7938a2fc6ab73559ebbaac2d448bd36ca538bb07ba510eeb4a xsa236.patch c98a4b50d021414626cd68002643e9aa0cc6067b98cd5dd995c0140a7933d1ea xsa236-4.5.patch b6fe5604af26e93184f30127ebbb644f127ecc7116b093c161ca3044b44d2fe9 xsa236-4.9.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJZ70ZiAAoJEIP+FMlX6CvZlBgH/0cwYrP3/zvc3dNJRtpxyn1J BkigYP8JBIYW85M7KdZDFBhgXIpuw6x45XZ4qfq6rrz3GOp5oZgZVFIoggHZBzRe eVCIpjOAXInM7ThsE6pV1Qr/JKe8V6RJumXEgqr5zznWpGmcFChWmobA+BBq64P6 87ALWjXBcuqOyjJnJQwEjk+kHJMnIpocVZk6NqcDeoHoJvRh/Zk4YYc78qm4Lucw d0yHq5azA9bgt5iJgxUvF74B4r8JxTLmA8sn7Kx280UJGEAkqM7jj1QVQ6sb8fgO q6RSzBVnuVqLh4E1Dji9KaxcRRVnbrp2FFpBUUWHAVVO4O0GYlu5NxERnnye9v0= =zI77 -----END PGP SIGNATURE-----