Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1571881 (CVE-2018-10981, xsa262)

Summary: CVE-2018-10981 xsa262 xen: qemu may drive Xen into unbounded loop (XSA-262)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, drjones, imammedo, jforbes, knoel, m.a.young, mrezanin, pbonzini, rkrcmar, robinlee.sysu, security-response-team, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-26 13:45:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1576680    
Bug Blocks:    

Description Adam Mariš 2018-04-25 15:10:21 UTC 
ISSUE DESCRIPTION
=================

When Xen sends requests to a device model, the next expected action
inside Xen is tracked using a state field.  The requests themselves
are placed in a memory page shared with the device model, so that the
device model can communicate to Xen its progress on the request.  The
state field is in the request itself, where the device model may write
to it.  Xen correctly rejects invalid state values, but failed to reject
invalid transitions between states.  As a result, a device model which
switches a request between two states at the right times can drive Xen
into an unbounded loop.

IMPACT
======

A malicious unprivileged device model can cause a Denial of Service
(DoS) affecting the entire host.  Specifically, it may prevent use of a
physical CPU for an indeterminate period of time.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

Only x86 systems are affected.  ARM systems are not affected.

Only HVM guests can expose this vulnerability.  PV and PVH guests cannot
expose this vulnerability, but note that the domains being able to
leverage the vulnerability are PV or PVH ones, running the device model.

This vulnerability is only applicable to Xen systems using stub domains.

MITIGATION
==========

Running only PV or PVH guests will avoid this issue.

(The security of a Xen system using stub domains is still better than
with a qemu-dm running as an unrestricted dom0 process.  Therefore
users with these configurations should not switch to an unrestricted
dom0 qemu-dm.)

External References:

http://xenbits.xen.org/xsa/advisory-262.html
Comment 2 Adam Mariš 2018-05-10 06:49:50 UTC 
Acknowledgments:

Name: the Xen project
Upstream: Jan Beulich (SUSE)
Comment 3 Adam Mariš 2018-05-10 06:50:14 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1576680]