Dear Qubes Community,

We have published Qubes Security Bulletin (QSB) #35: Xen hypervisor issue related to grant tables (XSA-236). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).

View QSB #35 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-035-2017.txt

Learn about the qubes-secpack, including how to obtain, verify, and read it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

View XSA-236 in the XSA Tracker:

https://www.qubes-os.org/security/xsa/#236

             ---===[ Qubes Security Bulletin #35 ]===---

                          October 24, 2017


         Xen hypervisor issue related to grant tables (XSA-236)

Summary
========

The Xen Security Team has published Xen Security Advisory 236, which
concerns an issue with the grant tables mechanism used to share memory
between domains. The practical impact of this advisory is believed to
be denial of service only. However, privilege escalation and information
leaks are theoretically possible.

Technical details
==================

Xen Security Advisory 236 [1]:

| Grant copying code made an implication that any grant pin would be
| accompanied by a suitable page reference.  Other portions of code,
| however, did not match up with that assumption.  When such a grant
| copy operation is being done on a grant of a dying domain, the
| assumption turns out wrong.
|
| A malicious guest administrator can cause hypervisor memory
| corruption, most likely resulting in host crash and a Denial of
| Service.  Privilege escalation and information leaks cannot be ruled
| out.

Compromise Recovery
====================

Beginning with Qubes 3.2, we offer Paranoid Backup Restore Mode, which
was designed specifically to aid in the recovery of a potentially
compromised Qubes OS system. If you believe your system may be
compromised (perhaps because of the issue discussed in this bulletin),
please read and follow the procedure described here:

https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/

Patching
=========

The specific packages that resolve the problem discussed in this
bulletin are as follows:

  For Qubes 3.2:
  - Xen packages, version 4.6.6-34

  For Qubes 4.0:
  - Xen packages, version 4.8.2-9

The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.

Credits
========

See the original Xen Security Advisory.

References
===========

[1] https://xenbits.xen.org/xsa/advisory-236.html

-- 
The Qubes Security Team
https://www.qubes-os.org/security/