broken x86 shadow mode refcount overflow check

2017-12-1211:35:00

Xen Project

xenbits.xen.org

558

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

25.7%

JSON

ISSUE DESCRIPTION

Pages being used to run x86 guests in shadow mode are reference counted to track their uses. Unfortunately the overflow check when trying to obtain a new reference used a mask one bit wider than the reference count actually is, rendering the entire check ineffective.

IMPACT

A malicious or buggy guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host, or cause hypervisor memory corruption. We cannot rule out a guest being able to escalate its privilege.

VULNERABLE SYSTEMS

Xen versions 4.1 and later are affected. Xen versions 4.0 and earlier are not affected.
x86 systems are vulnerable. ARM systems are not vulnerable.
Only guests run in shadow mode can exploit the vulnerability.
PV guests typically only run in shadow mode during live migration, as well as for features like VM snapshot.
Note that save / restore does not use shadow mode, and so does not expose this vulnerability. Some downstreams also include a “non-live migration” feature, which also does not use shadow mode (and thus does not expose this vulnerability).
HVM guests run in shadow mode on hardware without HAP support, or when HAP is disabled (globally or in the VM configuration file). Live migration does not affect an HVM guest’s use of shadow mode.