Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

OSEC-2019-02

Grant unshare vulnerability in mirage-xen
Back to all
CVE

OSEC-2019-02

Grant unshare vulnerability in mirage-xen

Background

MirageOS is a library operating system using cooperative multitasking, which can be executed as a guest of the Xen hypervisor. Virtual machines running on a Xen host can communicate by sharing pages of memory. For example, when a Mirage VM wants to use a virtual network device provided by a Linux dom0:

  1. The Mirage VM reserves some of its memory for this purpose and writes an entry to its grant table to say that dom0 should have access to it.
  2. The Mirage VM tells dom0 (via XenStore) about the grant.
  3. dom0 asks Xen to map the memory into its address space.

The Mirage VM and dom0 can now communicate using this shared memory. When dom0 has finished with the memory:

  1. dom0 tells Xen to unmap the memory from its address space.
  2. dom0 tells the Mirage VM that it no longer needs the memory.
  3. The Mirage VM removes the entry from its grant table.
  4. The Mirage VM may reuse the memory for other purposes.

Problem Description

Mirage removes the entry by calling the gnttabendaccess function in Mini-OS. This function checks whether the remote domain still has the memory mapped. If so, it returns 0 to indicate that the entry cannot be removed yet. To make this function available to OCaml code, the stubgntshrend_access C stub in mirage-xen wrapped this with the OCaml calling conventions. Unfortunately, it ignored the return code and reported success in all cases.

Impact

A malicious VM can tell a MirageOS unikernel that it has finished using some shared memory while it is still mapped. The Mirage unikernel will think that the unshare operation has succeeded and may reuse the memory, or allow it to be garbage collected. The malicious VM will still have access to the memory.

In many cases (such as in the example above) the remote domain will be dom0, which is already fully trusted. However, if a unikernel shares memory with an untrusted domain then there is a problem.

Solution

Returning the result from the C stub required changes to the OCaml grant API to deal with the result. This turned out to be difficult because, for historical reasons, the OCaml part of the API was in the ocaml-gnt package while the C stubs were in mirage-xen, and because the C stubs are also shared with the Unix backend.

We instead created a new grant API in mirage-xen, migrated all existing Mirage drivers to use it, and then dropped support for the old API. mirage-xen 3.3.0 added support for the new API and 3.4.0 removed support for the old one.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
7.7
-
3.0
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
C
H
U
-

Related Resources

No items found.

References

https://github.com/mirage/mirage-xen/pull/9, https://mirageos.org/blog/MSA02

Severity

7.7

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.7
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0
Fix Available
3.3.0,f86e173922233568158c605ab98add623bedf948

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading