osec-2019-02
Vulnerability from osv_ocaml
Background
MirageOS is a library operating system using cooperative multitasking, which can be executed as a guest of the Xen hypervisor. Virtual machines running on a Xen host can communicate by sharing pages of memory. For example, when a Mirage VM wants to use a virtual network device provided by a Linux dom0:
- The Mirage VM reserves some of its memory for this purpose and writes an entry to its grant table to say that dom0 should have access to it.
- The Mirage VM tells dom0 (via XenStore) about the grant.
- dom0 asks Xen to map the memory into its address space.
The Mirage VM and dom0 can now communicate using this shared memory. When dom0 has finished with the memory:
- dom0 tells Xen to unmap the memory from its address space.
- dom0 tells the Mirage VM that it no longer needs the memory.
- The Mirage VM removes the entry from its grant table.
- The Mirage VM may reuse the memory for other purposes.
Problem Description
Mirage removes the entry by calling the gnttab_end_access function in Mini-OS. This function checks whether the remote domain still has the memory mapped. If so, it returns 0 to indicate that the entry cannot be removed yet. To make this function available to OCaml code, the stub_gntshr_end_access C stub in mirage-xen wrapped this with the OCaml calling conventions. Unfortunately, it ignored the return code and reported success in all cases.
Impact
A malicious VM can tell a MirageOS unikernel that it has finished using some shared memory while it is still mapped. The Mirage unikernel will think that the unshare operation has succeeded and may reuse the memory, or allow it to be garbage collected. The malicious VM will still have access to the memory.
In many cases (such as in the example above) the remote domain will be dom0, which is already fully trusted. However, if a unikernel shares memory with an untrusted domain then there is a problem.
Solution
Returning the result from the C stub required changes to the OCaml grant API to deal with the result. This turned out to be difficult because, for historical reasons, the OCaml part of the API was in the ocaml-gnt package while the C stubs were in mirage-xen, and because the C stubs are also shared with the Unix backend.
We instead created a new grant API in mirage-xen, migrated all existing Mirage drivers to use it, and then dropped support for the old API. mirage-xen 3.3.0 added support for the new API and 3.4.0 removed support for the old one.
{
"affected": [
{
"ecosystem_specific": {
"opam_constraint": "mirage-xen {\u003c \"3.3.0\"}"
},
"package": {
"ecosystem": "opam",
"name": "mirage-xen",
"purl": "pkg:opam/mirage-xen"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.0"
}
],
"type": "ECOSYSTEM"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "f86e173922233568158c605ab98add623bedf948"
}
],
"repo": "https://github.com/mirage/mirage-xen",
"type": "GIT"
}
],
"versions": [
"0.9.1",
"0.9.2",
"0.9.3",
"0.9.4",
"0.9.5",
"0.9.6",
"0.9.7",
"0.9.8",
"0.9.9",
"1.0.0",
"1.1.0",
"1.1.1",
"2.0.0",
"2.0.1",
"2.1.0",
"2.1.1",
"2.1.2",
"2.1.3",
"2.2.0",
"2.2.1",
"2.2.2",
"2.3.0",
"2.3.1",
"2.3.2",
"2.3.3",
"2.4.0",
"2.4.1",
"2.6.0",
"3.0.0",
"3.0.1",
"3.0.3",
"3.0.4",
"3.0.6",
"3.1.0",
"3.2.0"
]
}
],
"credits": [
{
"name": "Mindy Preston",
"type": "REPORTER"
},
{
"name": "Mindy Preston",
"type": "REMEDIATION_DEVELOPER"
},
{
"name": "Thomas Leonard",
"type": "REMEDIATION_DEVELOPER"
}
],
"database_specific": {
"cwe": [
"CWE-252"
],
"human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2019/OSEC-2019-02.md",
"osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2019/OSEC-2019-02.json"
},
"details": "## Background\n\nMirageOS is a library operating system using cooperative multitasking, which can be executed as a guest of the Xen hypervisor. Virtual machines running on a Xen host can communicate by sharing pages of memory. For example, when a Mirage VM wants to use a virtual network device provided by a Linux dom0:\n\n1. The Mirage VM reserves some of its memory for this purpose and writes an entry to its grant table to say that dom0 should have access to it.\n2. The Mirage VM tells dom0 (via XenStore) about the grant.\n3. dom0 asks Xen to map the memory into its address space.\n\nThe Mirage VM and dom0 can now communicate using this shared memory. When dom0 has finished with the memory:\n\n1. dom0 tells Xen to unmap the memory from its address space.\n2. dom0 tells the Mirage VM that it no longer needs the memory.\n3. The Mirage VM removes the entry from its grant table.\n4. The Mirage VM may reuse the memory for other purposes.\n\n## Problem Description\n\nMirage removes the entry by calling the gnttab_end_access function in Mini-OS. This function checks whether the remote domain still has the memory mapped. If so, it returns 0 to indicate that the entry cannot be removed yet. To make this function available to OCaml code, the stub_gntshr_end_access C stub in mirage-xen wrapped this with the OCaml calling conventions. Unfortunately, it ignored the return code and reported success in all cases.\n\n## Impact\n\nA malicious VM can tell a MirageOS unikernel that it has finished using some shared memory while it is still mapped. The Mirage unikernel will think that the unshare operation has succeeded and may reuse the memory, or allow it to be garbage collected. The malicious VM will still have access to the memory.\n\nIn many cases (such as in the example above) the remote domain will be dom0, which is already fully trusted. However, if a unikernel shares memory with an untrusted domain then there is a problem.\n\n## Solution\n\nReturning the result from the C stub required changes to the OCaml grant API to deal with the result. This turned out to be difficult because, for historical reasons, the OCaml part of the API was in the ocaml-gnt package while the C stubs were in mirage-xen, and because the C stubs are also shared with the Unix backend.\n\nWe instead created a new grant API in mirage-xen, migrated all existing Mirage drivers to use it, and then dropped support for the old API. mirage-xen 3.3.0 added support for the new API and 3.4.0 removed support for the old one.",
"id": "OSEC-2019-02",
"modified": "2026-01-13T12:00:00Z",
"published": "2019-04-26T00:00:00Z",
"references": [
{
"type": "FIX",
"url": "https://github.com/mirage/mirage-xen/pull/9"
},
{
"type": "ADVISORY",
"url": "https://mirageos.org/blog/MSA02"
}
],
"schema_version": "1.7.4",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Grant unshare vulnerability in mirage-xen"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.