Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1ruA9m-0002tQ-By@xenbits.xenproject.org>
Date: Tue, 09 Apr 2024 12:00:54 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 454 v2 (CVE-2023-46842) - x86 HVM
 hypercalls may trigger Xen bug check

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2023-46842 / XSA-454
                               version 2

             x86 HVM hypercalls may trigger Xen bug check

UPDATES IN VERSION 2
====================

Avoid new Misra violation in 1st staging patch.

Public release.

ISSUE DESCRIPTION
=================

Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and
other modes.  This in particular means that they may set registers used
to pass 32-bit-mode hypercall arguments to values outside of the range
32-bit code would be able to set them to.

When processing of hypercalls takes a considerable amount of time,
the hypervisor may choose to invoke a hypercall continuation.  Doing so
involves putting (perhaps updated) hypercall arguments in respective
registers.  For guests not running in 64-bit mode this further involves
a certain amount of translation of the values.

Unfortunately internal sanity checking of these translated values
assumes high halves of registers to always be clear when invoking a
hypercall.  When this is found not to be the case, it triggers a
consistency check in the hypervisor and causes a crash.

IMPACT
======

A HVM or PVH guest can cause a hypervisor crash, causing a Denial of
Service (DoS) of the entire host.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been inspected.

Only x86 systems are vulnerable.  Arm systems are not vulnerable.

Only HVM or PVH guests can leverage the vulnerability.  PV guests cannot
leverage the vulnerability.

MITIGATION
==========

Not using HVM / PVH guests will avoid the vulnerability.

CREDITS
=======

This issue was discovered by Manuel Andreas of Technical University of
Munich.

RESOLUTION
==========

Applying either of the attached patches from the appropriate set resolves
this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa454-?.patch           xen-unstable
xsa454-4.18-?.patch      Xen 4.18.x
xsa454-4.17-?.patch      Xen 4.17.x
xsa454-4.16-?.patch      Xen 4.16.x - Xen 4.15.x

$ sha256sum xsa454*
2df9af16605b634d3585a30f673b4cf9e327889cfd8714a697de215c3f809fb5  xsa454-1.patch
f2ed0468350f2c2e0285a546ab5c722e928add5425b05bff663c632ada09ee3b  xsa454-2.patch
4106f323251e262d30319c61de7c876f2b18edfcce38cc70501fb3c22677ff0a  xsa454-4.16-1.patch
962ea7d8f3e378ec775619e44525f66768369423b56113420763651dbbf6bc1e  xsa454-4.16-2.patch
95b299237d13ae27f643d804eb40b600b9b8ef056953686d4f770f03c46c42c8  xsa454-4.17-1.patch
7af290595cbea3153e49344827095c874e6a8d208d8c843e62ee0787b0d7d46d  xsa454-4.17-2.patch
999006e7917c996741dfc332d28e7b2ca8376f8e9d5b38161cbd5988528d0238  xsa454-4.18-1.patch
f2ed0468350f2c2e0285a546ab5c722e928add5425b05bff663c632ada09ee3b  xsa454-4.18-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmYVK4QMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZGckH/3BlZCckKISpUFMM/633xyAdJ8ZMVwZDhS2/eC+n
SJA4VuqAgw6dqqvAA5ga7jzBiCxe78S1BVXAZjOctmfVHRTOoyKg2hcEcKAit8uf
Pbxm/XHqgQRb6FTAlZROqX0rxq+7kSftm0teQWvMfauwVia59Shhye67dmdk9tCP
G8BTDFVEAspFYopQOiTmFQbxIkLLC6rg0UljQfxStPMw3MyX8pO5Lzl3+POlM1xV
XBynHxVmpdXNe1rFYcRKIsQWbbgYiEMXjQmOkax2mTfMHDhMZjkxvpLZa2jMfzkP
wTdqwWqO+z2eGZPWVL95uwZ49Q6Pzhnd6MXkn0wfHtDzy24=
=oUIS
-----END PGP SIGNATURE-----

Download attachment "xsa454-1.patch" of type "application/octet-stream" (3549 bytes)

Download attachment "xsa454-2.patch" of type "application/octet-stream" (2792 bytes)

Download attachment "xsa454-4.16-1.patch" of type "application/octet-stream" (3432 bytes)

Download attachment "xsa454-4.16-2.patch" of type "application/octet-stream" (3040 bytes)

Download attachment "xsa454-4.17-1.patch" of type "application/octet-stream" (3438 bytes)

Download attachment "xsa454-4.17-2.patch" of type "application/octet-stream" (3040 bytes)

Download attachment "xsa454-4.18-1.patch" of type "application/octet-stream" (3427 bytes)

Download attachment "xsa454-4.18-2.patch" of type "application/octet-stream" (2792 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.