Xen fixes guest privilege escape and plenty more

Crashes, data leaks and foul corruption also fixed

By Richard Chirgwin

Posted in Virtualization, 16th August 2017 07:33 GMT

Xen admins, get busy: the open source hypervisor's issued fixes for bugs that range from data corruption and leakage up to privilege escalation.

Let's start with CVE-2017-12137, which could let a paravirtualized (PV) guest escalate to host privilege.

It's down to a mistake in memory allocation when a PV guest is launched. That process can use either a nominated linear address, or an “L1 pageable entry”, but in the second case, the L1 entry path isn't checked.

“This causes Xen to make an incorrectly-aligned update to a pagetable, which corrupts both the intended entry and the subsequent entry with values which are largely guest controlled. If the misaligned value crosses a page boundary, then an arbitrary other heap page is corrupted” – and a successful exploit could be used to get host privileges.

All versions of Xen are vulnerable if running untrusted PV guests on x86 architectures, and the issue has been patched.

There is also an issue with Xen's grant_table, here (pre-CVE) and here (CVE-2017-12855).

The bits that indicate a granted frame is in use (_GTF_ {read,write} can be cleared incorrectly, with a resulting possible information leak.

“A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant”, the advisory says.

The grant_table code also suffers a race condition, CVE-2017-12136, offering a path for a malicious guest administrator to crash the host.

What's called “transitive grands” in Xen is in the spotlight in CVE-2017-12135, with two bugs allowing a malicious (or buggy) guest to crash the system. Patches have been issued for all versions.

There's also a fix for a bug in Xen's block I/O “merge-ability” calculation, which opened a path to either data corruption or a data leak.

“The block layer in Linux may choose to merge adjacent block IO requests. When Linux is running as a Xen guest, the default merging algorithm is replaced with a Xen-specific one. When Linux is running as an x86 PV guest, some BIO's are erroneously merged, corrupting the data stream to/from the block device”, the advisory says.

If you need time to patch this one, disable block I/O merges on backend block devices. ®

Sign up to our NewsletterGet IT in your inbox daily

5 Comments

More from The Register

Xen Project says new version 4.10 has found balance between security and novelty

Splendid isolation for VMs, and a hand for ARM servers

Countdown starts for new Xen hypervisor release

RC1 for Xen 4.10 is upon us, so get testing, hyper-hipsters

Xen Project's plan after AWS goes KVM: Talk up embedded future

Update AWS changes its tune, multi-hypervisor plan is its future

Xen warns of nine embargo-worthy bugs

We won't know what they are for a fortnight, but clouds are warning of VM reboots

Patch Qubes to prevent pwnage via Xen bug

Death knell sounded for paravirtualisation, here's why

Release the hounds! Xen 4.9's first RC is out and wants testing

Early June looks like being hypervisor happy time

Xen Project wants permission to reveal fewer vulnerabilities

Poll Should bugs that don't expose user data be left alone, saving time and effort?

Oi! Verizon leaked my fiancée's nude pix to her ex-coworker, says bloke

Intimate photos somehow ended up on some other guy's mobe, lawsuit claims

Qualcomm joins Xen Project Advisory Board

And comes right out and says why: it wants more ARM-powered servers and clouds

Citrix reveals full Xen combo will be cheaper than Xen lite for Azure

XenApp Essentials pricing revealed