An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACEgranttable is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxen-dev" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxencall1" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxencall1-dbgsym" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxendevicemodel1" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxendevicemodel1-dbgsym" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxenevtchn1" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxenevtchn1-dbgsym" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxenforeignmemory1" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxenforeignmemory1-dbgsym" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxengnttab1" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxengnttab1-dbgsym" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxenmisc4.11" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxenmisc4.11-dbgsym" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxenstore3.0" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxenstore3.0-dbgsym" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxentoolcore1" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxentoolcore1-dbgsym" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxentoollog1" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "libxentoollog1-dbgsym" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-doc" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-hypervisor-4.11-amd64" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-hypervisor-4.11-arm64" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-hypervisor-4.11-armhf" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-hypervisor-4.9-amd64" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-hypervisor-4.9-arm64" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-hypervisor-4.9-armhf" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-hypervisor-common" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-system-amd64" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-system-arm64" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-system-armhf" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-utils-4.11" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-utils-4.11-dbgsym" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-utils-common" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xen-utils-common-dbgsym" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xenstore-utils" }, { "binary_version": "4.11.3+24-g14b62ab3e5-1ubuntu2.3", "binary_name": "xenstore-utils-dbgsym" } ] }