Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1qitNQ-0001Pu-0K@xenbits.xenproject.org>
Date: Wed, 20 Sep 2023 09:20:08 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 438 v2 (CVE-2023-34322) - top-level shadow
 reference dropped too early for 64-bit PV guests

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2023-34322 / XSA-438
                               version 2

   top-level shadow reference dropped too early for 64-bit PV guests

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

For migration as well as to work around kernels unaware of L1TF (see
XSA-273), PV guests may be run in shadow paging mode.  Since Xen itself
needs to be mapped when PV guests run, Xen and shadowed PV guests run
directly the respective shadow page tables.  For 64-bit PV guests this
means running on the shadow of the guest root page table.

In the course of dealing with shortage of memory in the shadow pool
associated with a domain, shadows of page tables may be torn down.  This
tearing down may include the shadow root page table that the CPU in
question is presently running on.  While a precaution exists to
supposedly prevent the tearing down of the underlying live page table,
the time window covered by that precaution isn't large enough.

IMPACT
======

Privilege escalation, Denial of Service (DoS) affecting the entire host,
and information leaks all cannot be ruled out.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been inspected.

Only x86 systems are vulnerable.  Only 64-bit PV guests can leverage the
vulnerability, and only when running in shadow mode.  Shadow mode would
be in use when migrating guests or as a workaround for XSA-273 (L1TF).

MITIGATION
==========

Running only HVM or PVH guests will avoid the vulnerability.

Running PV guests in the PV shim will also avoid the vulnerability.

CREDITS
=======

This issue was discovered by Tim Deegan, and Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa438.patch           xen-unstable
xsa438-4.17.patch      Xen 4.17.x
xsa438-4.16.patch      Xen 4.16.x
xsa438-4.15.patch      Xen 4.15.x

$ sha256sum xsa438*
f30067fa3732fb52042b14a2836b610c29af47461425f1a1ccec21cb8a5a48b1  xsa438.patch
a2e7d7c12ea19fb95e2d825fda5f7d0124cbb5c4a369cb58ab6036d266b7e297  xsa438-4.15.patch
eb75fbeb4aa635d6104c12acd5f7311e477f7c159f2ec4eca8a345327a9aee24  xsa438-4.16.patch
f3a305c86124e48b9afa14f3ba76b81d1f5d8d472e2412ae3d014305c749a86a  xsa438-4.17.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUKuSAMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZtL0IAL3mXsj7Q5Xfu/Tof0a1ie7TnpvZ2qXxzoLlyiFR
Vra9gs83Nw7n45yXFFVLSzTjmz2bCbCmUowPp6TxF9Nawt0JocbF80JpYKEojEko
6B2BAdUFhPXtx1D6NruzG2gVr5qn/eNJjIIos0o7tzxtBPLKX9qzLh3FmZK5BJm2
HyKMLIEZuVipb3Qtb+avUDHvLjee6p4eaaWOk08g3sSWhtSfwxlS4IF9j1G2Oejj
QKZ1XILCP8miXmuUZJ/L/7CzFvOm+DKNVFZYhFT0fjDWk3vNhtLcBv5s36Z65gKK
MvKe7owffmclQLWjOekYNm8dG5gQ/OkWRAPbxiwRMegT22g=
=L3du
-----END PGP SIGNATURE-----

Download attachment "xsa438.patch" of type "application/octet-stream" (17005 bytes)

Download attachment "xsa438-4.15.patch" of type "application/octet-stream" (16486 bytes)

Download attachment "xsa438-4.16.patch" of type "application/octet-stream" (16142 bytes)

Download attachment "xsa438-4.17.patch" of type "application/octet-stream" (16350 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.