|
Message-Id: <E1iNxUJ-0002iy-7t@xenbits.xenproject.org> Date: Fri, 25 Oct 2019 11:10:35 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 290 v3 (CVE-2019-17344) - missing preemption in x86 PV page table unvalidation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2019-17344 / XSA-290 version 3 missing preemption in x86 PV page table unvalidation UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= XSA-273 changes required, among other things, making any PTE updates restartable. The changes making PTE updates restartable assumed that L2 pagetables would always be promoted preemptibly; but this turns out not to be the case when using the 'linear pagetable' feature; the result was that interrupted operations are not handled properly in certain cases. Furthermore, previous security work making pagetable update preemptible failed to account for 'linear pagetables' at L3 and L4 levels, making it possible for operations to run for longer than acceptable times. IMPACT ====== Malicious or buggy x86 PV guest kernels can mount a Denial of Service (DoS) attack affecting the whole system. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable. Only x86 systems are affected. ARM systems are not affected. Only Xen versions which permit linear page table use by PV guests are vulnerable. Only x86 PV guests can leverage this vulnerability. x86 HVM guests cannot leverage this vulnerability. MITIGATION ========== Not permitting linear page table use by PV guests avoids the vulnerability. This can be done both at build time, by turning off the PV_LINEAR_PT configure option, or at runtime, by passing specifying "pv-linear-pt=0" on the hypervisor command line. Doing so would, however, render PV guests using the functionality, like NetBSD, unusable. On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels which only issue sane hypercalls will prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. Running only HVM guests will avoid this vulnerability. CREDITS ======= This issue was discovered by Manuel Bouyer. RESOLUTION ========== Applying the appropriate pair of attached patches resolves this issue. xsa290/unstable-?.patch xen-unstable xsa290/4.11-?.patch Xen 4.11.x xsa290/4.10-?.patch Xen 4.10.x xsa290/4.9-?.patch Xen 4.9.x xsa290/4.8-?.patch Xen 4.8.x xsa290/4.7-?.patch Xen 4.7.x $ sha256sum xsa290* xsa290*/* e74014bf97f223f35dc6142fbfadd8a3df6c7ecf1818d5d04ebb717a1d600959 xsa290.meta 87ffaf9712bfd2283e845d168811e572b9ebc8a580e750128586a48e65ae4c67 xsa290/4.7-1.patch 4137eb15d963a77ff302cb65f9f04e402ea23f69042f89ece4baaf4b7a58d638 xsa290/4.7-2.patch 0f5ce8c13c99431cae69736e117c7420c3202e3a680b42a66027646ae0aa141c xsa290/4.8-1.patch bb4102dd6f3daf60859a88b6a2f0828bc8aeb224d3d3b6fd2d2cc96b3f131a24 xsa290/4.8-2.patch a7e4902968529289c63149608d48e1eeac2feffa644e1337b1b5b9a624dc746d xsa290/4.9-1.patch 7798b063a8db95fc18bca1ea25d84937fbe9c6e0add15056841fd97d5aec2885 xsa290/4.9-2.patch 3a0bf44875bb5a8525b4418d6efd49bd6ed6cfaffe669cbdcfde61a65fe9cdea xsa290/4.10-1.patch 1e7dfe1b0c57e245daef1351db855a9312a4c225c05a6720460ea4aa1148ee22 xsa290/4.10-2.patch 3dd47f3bc1a004260d05cba548a80e475f85ffe60b663879de386e32a8e9ffbc xsa290/4.11-1.patch b3b17546fc553bf60572cf56023d8177f96973fcd072a8adfc622b4030e58d00 xsa290/4.11-2.patch 4ff1d857f46a781fd7483a30297ebf51bf079ccd1d598df799e5779ddc893674 xsa290/unstable-1.patch 3a85ecc426d482052aaf2a84bfde9840eb7a566638dbab042dac84b0019ca473 xsa290/unstable-2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or the HVM-only as well as host controlled kernel mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. HOWEVER deployment of the "pv-linear-pt=0" mitigation described above is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because in that case the configuration change is visible to the guest, which could lead to the rediscovery of the vulnerability. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2y19YMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZj0kIAK0GjYVugAQ4Neq0Dsr9JZFKdPCV+AiBRg2Di8ME HvLYoMzG7OOP7L0LnyZh1qSxfCXalKuMitNhOFH4zUHIOl4XA8iSEmxKhE6aKXCu TLngS5KCsqXb11+vDJsx7K4Z5UW7AXZwpI6jfi5nmXBEhRo9rdvO0y7I+j9x3v08 4TNSRE6lIO2OePCwOHbE9iUCHOvpldJ6PG9tDsBwsWdWgiMsPHk5XZI1Saiqa2r0 yoMD+ma6huWVph1Th+qlpjy1IORwcRp/y1OcSXzB8QX0Oz2ynaO/BZZNnm4LS3sD Ub9BlY01fC/g1evvh97/M//D4GRP6xEe5g3n2V5drD6Zaws= =dqbz -----END PGP SIGNATURE----- Download attachment "xsa290.meta" of type "application/octet-stream" (2065 bytes) Download attachment "xsa290/4.7-1.patch" of type "application/octet-stream" (7000 bytes) Download attachment "xsa290/4.7-2.patch" of type "application/octet-stream" (2309 bytes) Download attachment "xsa290/4.8-1.patch" of type "application/octet-stream" (7473 bytes) Download attachment "xsa290/4.8-2.patch" of type "application/octet-stream" (2309 bytes) Download attachment "xsa290/4.9-1.patch" of type "application/octet-stream" (7492 bytes) Download attachment "xsa290/4.9-2.patch" of type "application/octet-stream" (2309 bytes) Download attachment "xsa290/4.10-1.patch" of type "application/octet-stream" (7538 bytes) Download attachment "xsa290/4.10-2.patch" of type "application/octet-stream" (2235 bytes) Download attachment "xsa290/4.11-1.patch" of type "application/octet-stream" (7479 bytes) Download attachment "xsa290/4.11-2.patch" of type "application/octet-stream" (2235 bytes) Download attachment "xsa290/unstable-1.patch" of type "application/octet-stream" (7491 bytes) Download attachment "xsa290/unstable-2.patch" of type "application/octet-stream" (2244 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.