CVE-2017-12134

Vulnerability

The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in the Linux kernel (versions 2.6.37 and later) incorrectly allows merging of adjacent block I/O requests when Linux is running as a Xen x86 PV guest. This flaw occurs in backend domains (dom0 or PV driver domains) that perform block I/O on behalf of guest VMs, using grant mapping as the transport mechanism. The vulnerability is exposed only when the underlying block device has request merging enabled [1][2].

Exploitation

An attacker must be able to execute code within a guest VM that performs block I/O operations through a vulnerable Xen PV backend. The attacker triggers the flawed merge logic by submitting adjacent block I/O requests that the backend incorrectly coalesces. This requires the backend to have request merging enabled (default behavior) and to use grant mapping; HVM driver domains are not affected. No special privileges beyond guest user access are needed to initiate the attack [1][2].

Impact

A successfully exploited vulnerability allows the guest to cause the backend kernel to read or write incorrect memory when processing a block data stream. This can corrupt the data stream, leading to information disclosure (leaking data from other guests or Xen itself), denial of service (host crash), or privilege escalation to gain administrative control over the host system [1][2][3].

Mitigation

Linux distributions have released patches; for example, Ubuntu published fixed kernels in USN-3655-2 [3]. Red Hat closed the bug as WONTFIX for its product line, indicating that an alternate mitigation (e.g., disabling block request merging in the backend) may be necessary [4]. The vulnerability is not exposed on ARM systems. Administrators should apply the latest kernel updates from their vendor or disable block device request merging in Xen backend domains if patching is not possible [2][3].