CVE-2017-10912

Vulnerability

Xen through 4.8.x mishandles page transfer when a controlling domain unmaps a page owned by a controlled HVM domain without flushing the TLB. If the controlled domain subsequently transfers that page to another PV domain via GNTTABOP_transfer or XENMEM_exchange, and the third domain uses the page as a page table, the controlling domain retains write access to the live page table until the TLB entry is flushed or evicted [1]. All Xen versions are vulnerable on x86 systems; ARM systems are not affected. The attack requires an attacker to control both a PV and an HVM guest [1].

Exploitation

An attacker must control a PV domain (the controlling domain) and an HVM domain (the controlled domain). The controlling domain maps a page of the HVM domain, then unmaps it without flushing the TLB. The HVM domain then transfers the page to a third PV domain (also attacker-controlled) using GNTTABOP_transfer or XENMEM_exchange. The third PV domain uses the page as a page table. At this point, the controlling domain has write access to the live page table until the stale TLB entry is flushed or evicted [1].

Impact

A successful attack gives the controlling domain write access to a live page table of another PV domain. This allows the attacker to access all of system memory, leading to privilege escalation to the host level, host crashes, and information leaks [1].

Mitigation

There is no known workaround for this vulnerability [1]. The fix is to apply the patches provided in XSA-217 (e.g., xsa217.patch) or upgrade to a fixed version such as Xen 4.7.3 or later [2]. Gentoo users can follow the instructions in GLSA 201710-17 to upgrade to >=app-emulation/xen-4.7.3 [2].