Xen fixes guest privilege escape and plenty more

Crashes, data leaks and foul corruption also fixed

Xen admins, get busy: the open source hypervisor's issued fixes for bugs that range from data corruption and leakage up to privilege escalation.

Let's start with CVE-2017-12137, which could let a paravirtualized (PV) guest escalate to host privilege.

It's down to a mistake in memory allocation when a PV guest is launched. That process can use either a nominated linear address, or an “L1 pageable entry”, but in the second case, the L1 entry path isn't checked.

“This causes Xen to make an incorrectly-aligned update to a pagetable, which corrupts both the intended entry and the subsequent entry with values which are largely guest controlled. If the misaligned value crosses a page boundary, then an arbitrary other heap page is corrupted” – and a successful exploit could be used to get host privileges.

All versions of Xen are vulnerable if running untrusted PV guests on x86 architectures, and the issue has been patched.

There is also an issue with Xen's grant_table, here (pre-CVE) and here (CVE-2017-12855).

The bits that indicate a granted frame is in use (_GTF_ {read,write} can be cleared incorrectly, with a resulting possible information leak.

“A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant”, the advisory says.

The grant_table code also suffers a race condition, CVE-2017-12136, offering a path for a malicious guest administrator to crash the host.

What's called “transitive grands” in Xen is in the spotlight in CVE-2017-12135, with two bugs allowing a malicious (or buggy) guest to crash the system. Patches have been issued for all versions.

There's also a fix for a bug in Xen's block I/O “merge-ability” calculation, which opened a path to either data corruption or a data leak.

“The block layer in Linux may choose to merge adjacent block IO requests. When Linux is running as a Xen guest, the default merging algorithm is replaced with a Xen-specific one. When Linux is running as an x86 PV guest, some BIO's are erroneously merged, corrupting the data stream to/from the block device”, the advisory says.

If you need time to patch this one, disable block I/O merges on backend block devices. ?


Biting the hand that feeds IT ? 1998–2017