CVE-2017-14318 Information

Description

An issue was discovered in Xen 4.5.x through 4.9.x. The function __gnttab_cache_flush handles GNTTABOP_cache_flush grant table operations. It checks to see if the calling domain is the owner of the page that is to be operated on. If it is not the owner’s grant table is checked to see if a grant mapping to the calling domain exists for the page in question. However the function does not check to see if the owning domain actually has a grant table or not. Some special domains such as DOMID_XEN DOMID_IO and DOMID_COW are created without grant tables. Hence if __gnttab_cache_flush operates on a page owned by these special domains it will attempt to dereference a NULL pointer in the domain struct.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Reference

http://www.securityfocus.com/bid/100817 http://www.securitytracker.com/id/1039349 http://xenbits.xen.org/xsa/advisory-232.html https://support.citrix.com/article/CTX227185 https://www.debian.org/security/2017/dsa-4050

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

6.5