Xen fixes guest privilege escape and plenty more

Crashes, data leaks and foul corruption also fixed

Xen admins, get busy: the open source hypervisor's issued fixes for bugs that range from data corruption and leakage up to privilege escalation.

Let's start with CVE-2017-12137, which could let a paravirtualized (PV) guest escalate to host privilege.

It's down to a mistake in memory allocation when a PV guest is launched. That process can use either a nominated linear address, or an “L1 pageable entry”, but in the second case, the L1 entry path isn't checked.

“This causes Xen to make an incorrectly-aligned update to a pagetable, which corrupts both the intended entry and the subsequent entry with values which are largely guest controlled. If the misaligned value crosses a page boundary, then an arbitrary other heap page is corrupted” – and a successful exploit could be used to get host privileges.

All versions of Xen are vulnerable if running untrusted PV guests on x86 architectures, and the issue has been patched.

There is also an issue with Xen's grant_table, here (pre-CVE) and here (CVE-2017-12855).

The bits that indicate a granted frame is in use (_GTF_ {read,write} can be cleared incorrectly, with a resulting possible information leak.

“A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant”, the advisory says.

The grant_table code also suffers a race condition, CVE-2017-12136, offering a path for a malicious guest administrator to crash the host.

What's called “transitive grands” in Xen is in the spotlight in CVE-2017-12135, with two bugs allowing a malicious (or buggy) guest to crash the system. Patches have been issued for all versions.

There's also a fix for a bug in Xen's block I/O “merge-ability” calculation, which opened a path to either data corruption or a data leak.

“The block layer in Linux may choose to merge adjacent block IO requests. When Linux is running as a Xen guest, the default merging algorithm is replaced with a Xen-specific one. When Linux is running as an x86 PV guest, some BIO's are erroneously merged, corrupting the data stream to/from the block device”, the advisory says.

If you need time to patch this one, disable block I/O merges on backend block devices. ?


Biting the hand that feeds IT ? 1998–2017

<acronym id="haujiCA"><optgroup id="haujiCA"></optgroup></acronym>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<rt id="haujiCA"></rt>
<rt id="haujiCA"></rt>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<rt id="haujiCA"></rt>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<tr id="haujiCA"></tr>
<acronym id="haujiCA"><optgroup id="haujiCA"></optgroup></acronym><acronym id="haujiCA"><optgroup id="haujiCA"></optgroup></acronym>
  • 7844621339 2018-02-21
  • 9607131338 2018-02-21
  • 3095441337 2018-02-21
  • 9602111336 2018-02-21
  • 5723751335 2018-02-21
  • 1275371334 2018-02-21
  • 8517591333 2018-02-21
  • 230661332 2018-02-21
  • 3311101331 2018-02-21
  • 6181321330 2018-02-20
  • 6139401329 2018-02-20
  • 8915101328 2018-02-20
  • 6288241327 2018-02-20
  • 2044301326 2018-02-20
  • 1229571325 2018-02-20
  • 2162361324 2018-02-20
  • 7079711323 2018-02-20
  • 5699551322 2018-02-20
  • 9911371321 2018-02-20
  • 3873471320 2018-02-20