Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1if0o0-0001cS-Uo@xenbits.xenproject.org>
Date: Wed, 11 Dec 2019 12:09:24 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 311 v4 (CVE-2019-19577) - Bugs in dynamic
 height handling for AMD IOMMU pagetables

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-19577 / XSA-311
                               version 4

         Bugs in dynamic height handling for AMD IOMMU pagetables

UPDATES IN VERSION 4
====================

Public release.

Re-base 4.12 patch onto latest stable tree commits.

Updated metadata to add 4.13, update StableRef's

ISSUE DESCRIPTION
=================

When running on AMD systems with an IOMMU, Xen attempted to
dynamically adapt the number of levels of pagetables (the pagetable
height) in the IOMMU according to the guest's address space size.  The
code to select and update the height had several bugs.

Notably, the update was done without taking a lock which is necessary
for safe operation.

IMPACT
======

A malicious guest administrator can cause Xen to access data
structures while they are being modified, causing Xen to crash.
Privilege escalation is thought to be very difficult but cannot be
ruled out.

Additionally, there is a potential memory leak of 4kb per guest boot,
under memory pressure.

VULNERABLE SYSTEMS
==================

Only Xen on AMD CPUs is vulnerable.  Xen running on Intel CPUs is not
vulnerable.  ARM systems are not vulnerable.

Only systems where guests are given direct access to physical devices
are vulnerable.  Systems which do not use PCI pass-through are not
vulnerable.

Only HVM guests can exploit the vulnerability.  PV and PVH guests
cannot.

All versions of Xen with IOMMU support are vulnerable.

MITIGATION
==========

In some configurations, use of passthrough can be replaced with a
higher-level protocol such as Xen PV block or network devices.
There is no other mitigation.

CREDITS
=======

This issue was discovered by Sander Eikelenboom, along with Andrew Cooper of
Citrix.

RESOLUTION
==========

Applying the appropriate (set of) attached patch(es) resolves this issue.

xsa311.patch           xen-unstable, Xen 4.13.x
xsa311-4.12.patch      Xen 4.12.x
xsa311-4.11.patch      Xen 4.11.x
xsa311-4.10-*.patch    Xen 4.10.x
xsa311-4.9-*.patch     Xen 4.9.x
xsa311-4.8-*.patch     Xen 4.8.x

$ sha256sum xsa311*
ea929752043b5d4659cb605314887441daa33ee6450e755d6f077e57fc7abf9e  xsa311.meta
732975f33b6d893b984540c4c748eb5cdf1cf81bd565e41b57795458cae3ccad  xsa311.patch
27e30da9360eec850f6e7d8f2ea465d2f00a5a5a45c43042e4c18786c6c9338f  xsa311-4.8-1.patch
6e2372eb18f3ca25093445a93bcdf674ed2d7d3012e8611911ea2b9ca8d58bd4  xsa311-4.8-2.patch
c73bee7aa8fac02d0982b4fb21de053918f80cc0158bd5bfca68e3dc994759be  xsa311-4.9-1.patch
e89f5c381bd6a8fa8c5f63a829b586fdbefefe311c0f1084d2baeea3e933da66  xsa311-4.9-2.patch
c73bee7aa8fac02d0982b4fb21de053918f80cc0158bd5bfca68e3dc994759be  xsa311-4.10-1.patch
189a51048ad88efd855e6e78a307fff68e0c139225ce528c253558d266fffe02  xsa311-4.10-2.patch
1aaf26d1c231c8b5dd00900c00c18bf884d23b9568c9746866d92f39daf1c02f  xsa311-4.11.patch
5f43fa4628f6d1a8f6f903e662226a09524b8c354e06e1a6039837db656c0218  xsa311-4.12.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl3w3F8MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZgF0IAIOtY9LMbRkBWgc16lOs+MTDOC7h4fYqofjQetFN
wAJ2Q3w2QXN+Zt54L8dmc6+Zzvn9Do4AJeMvfCzFxuw2OaMBwcwI9DcEbZ+CvYsa
hiXf9xKBBEfCu8PjisRnBqKuyqrLQdBSad9vXcGOVloXiFzJ1wbKnSMBNig9ZTi2
us3c9MeUTnf95W/KTQNe2Gu8KQiogzzBUUifdB6YU0MNNhL60OzfSwgautD9XHfA
+NcRogDnf6KgAs6VKgHSDxyVWbvnaWvKWGF2M2QXwXHjqCH/ox87OIIgZ/HSodXB
e07vCaweCG4GgWDGQN5K3+9Cu1B6+t0RYzPYmuhPDy/kWF0=
=RJ0B
-----END PGP SIGNATURE-----

Download attachment "xsa311.meta" of type "application/octet-stream" (2276 bytes)

Download attachment "xsa311.patch" of type "application/octet-stream" (7441 bytes)

Download attachment "xsa311-4.8-1.patch" of type "application/octet-stream" (3560 bytes)

Download attachment "xsa311-4.8-2.patch" of type "application/octet-stream" (7974 bytes)

Download attachment "xsa311-4.9-1.patch" of type "application/octet-stream" (3544 bytes)

Download attachment "xsa311-4.9-2.patch" of type "application/octet-stream" (8002 bytes)

Download attachment "xsa311-4.10-1.patch" of type "application/octet-stream" (3544 bytes)

Download attachment "xsa311-4.10-2.patch" of type "application/octet-stream" (7059 bytes)

Download attachment "xsa311-4.11.patch" of type "application/octet-stream" (7066 bytes)

Download attachment "xsa311-4.12.patch" of type "application/octet-stream" (7497 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.