SB2020041540 - Fedora 30 update for xen

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2020-11740)

The vulnerability allows a remote user to gain access to potentially sensitive information.

An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests.

2) Missing Authorization (CVE-ID: CVE-2020-11741)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling) to obtain sensitive information about other guests, cause a denial of service, or possibly gain privileges. For guests for which "active" profiling was enabled by the administrator, the xenoprof code uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a potential adversary: it trusts the guest not to modify buffer size information or modify head / tail pointers in unexpected ways. A remote user can perform a denial of service (DoS) attack.

3) Buffer overflow (CVE-ID: CVE-2020-11739)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS).

4) Improper Handling of Exceptional Conditions (CVE-ID: CVE-2020-11743)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of a bad error path in GNTTABOP_map_grant. Grant table operations are expected to return 0 for success, and a negative number for errors. Some misplaced brackets cause one error path to return 1 instead of a negative value. The grant table code in Linux treats this condition as success, and proceeds with incorrectly initialised state. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to map a grant, it hits the incorrect error path. This will crash a Linux based dom0 or backend domain.

5) Unchecked Return Value (CVE-ID: CVE-2020-11742)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to introduction of unexpected behavior in the fix for CVE-2017-1213 that caused bad continuation handling in GNTTABOP_copy. A remote user can crash the hypervisor.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2020-520fc718af