Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1tApeQ-001S1e-2f@xenbits.xenproject.org>
Date: Tue, 12 Nov 2024 12:05:42 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 463 v2 (CVE-2024-45818) - Deadlock in x86
 HVM standard VGA handling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2024-45818 / XSA-463
                               version 2

               Deadlock in x86 HVM standard VGA handling

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The hypervisor contains code to accelerate VGA memory accesses for HVM
guests, when the (virtual) VGA is in "standard" mode.  Locking involved
there has an unusual discipline, leaving a lock acquired past the
return from the function that acquired it.  This behavior results in a
problem when emulating an instruction with two memory accesses, both of
which touch VGA memory (plus some further constraints which aren't
relevant here).  When emulating the 2nd access, the lock that is already
being held would be attempted to be re-acquired, resulting in a
deadlock.

This deadlock was already found when the code was first introduced, but
was analysed incorrectly and the fix was incomplete.  Analysis in light
of the new finding cannot find a way to make the existing locking
discipline work.

In staging, this logic has all been removed because it was discovered
to be accidentally disabled since Xen 4.7.  Therefore, we are fixing the
locking problem by backporting the removal of most of the feature.  Note
that even with the feature disabled, the lock would still be acquired
for any accesses to the VGA MMIO region.

IMPACT
======

A (not necessarily malicious) HVM guest kernel can lock up the entire
host.

VULNERABLE SYSTEMS
==================

Xen versions 4.6 through 4.19 are vulnerable.  Staging (4.20 dev) is
not vulnerable; as noted above, the functionality was already removed
prior to the discovery of this issue.

Only x86 systems running HVM guests are vulnerable.  Architectures other
than x86 are not vulnerable.

Only HVM guests can leverage the vulnerability.  PVH and PV guests
cannot leverage the vulnerability.

MITIGATION
==========

Running only PV or PVH guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Manuel Andreas of Technical University of
Munich.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa463/xsa463-4.19-??.patch      Xen 4.19.x
xsa463/xsa463-4.18-??.patch      Xen 4.18.x
xsa463/xsa463-4.17-??.patch      Xen 4.17.x
xsa463/xsa463-4.16-??.patch      Xen 4.16.x

$ sha256sum xsa463*/*
405655548529a52ced40b42341a7e991945ff5f7851709b60d85a1d1a03a0f7f  xsa463/xsa463-4.16-01.patch
6bf659c0cec609f79101b237b6ac07274b4f08b20ac24d4b399732d6c3dbae3b  xsa463/xsa463-4.16-02.patch
2ae4413ac1781506353a34b6a3b5836bc426ceae789696e9c1fe6274d67e073d  xsa463/xsa463-4.16-03.patch
87d2515141f6900c2f20ed449cf86cc82928fcf2b0424c2faa9b8cfa49940447  xsa463/xsa463-4.16-04.patch
227bf1f048dfa389b04d8208f0003f77c006340d9258906ce21bf3f5fa226a67  xsa463/xsa463-4.16-05.patch
13d17ec4ce9c4844ddf33d2f034f354e9b9907425b98d242e0472021d3ae2c4a  xsa463/xsa463-4.16-06.patch
ad0c25dcf768dfe88084f34f15e9b9bc91f32f3c8c281b172da673aadc568b54  xsa463/xsa463-4.16-07.patch
065395ea7b4eb9ca26c48a110ea03ceac243a4c9390e25e044d134408ddc88e0  xsa463/xsa463-4.16-08.patch
6c4ad589e979e200dee6ec060832489a841b91751801e42f63d8e7aa2f7bc1f5  xsa463/xsa463-4.16-09.patch
3ce5056d796811c930b6b6453a18fd285d50e871135b22dacbed845b9e2e6fd7  xsa463/xsa463-4.16-10.patch
f6be5907e34c9bdceafd56b413b26b9dea44faae6db49ee15c0866056880a615  xsa463/xsa463-4.17-01.patch
1907bf226db3f67be539ae70c581969011ee77e4161993e8e68aef66625f62c9  xsa463/xsa463-4.17-02.patch
6c51a337b50cba01b5255c12276ed63ab771ddb12a104e468c436328fab27ca6  xsa463/xsa463-4.17-03.patch
efc532d8382d8d765e43cfd72edc3d0d4555a3a9faa019f77ef85979f241c265  xsa463/xsa463-4.17-04.patch
3b7cf5ff13e7a6080b16d56fe713369cc027928f00dc85508593b549f2195e09  xsa463/xsa463-4.17-05.patch
a2f1000352d3f426bb6a07ffb0e9fb942975b49da1c6dd1109bce167acd37778  xsa463/xsa463-4.17-06.patch
544d02f57b7f2c4101a3ccd3f4fc5a68e168bcf7806f19677c1675f96d16ce34  xsa463/xsa463-4.17-07.patch
93d422d0e143884ffd51ecebd0bad08a75002e61b0d5af4b38ac0d190b29039a  xsa463/xsa463-4.17-08.patch
759ea086c438f9fb7dedb0b60b5455b81d0452c693f88c270e3bd3911ea26a43  xsa463/xsa463-4.17-09.patch
94162a21fa97f041abf94a32b9999d98d16055b1f6e2e4230d123f4c8ef202fb  xsa463/xsa463-4.17-10.patch
a19b7675c633f5d33fc611a1a258c2a1f579e170245cf021662b056c144ce6b1  xsa463/xsa463-4.18-01.patch
61db94f3e856593c1a58e1c32863ce4228ee2bedeac5f56ddd527b7fd4dd91ee  xsa463/xsa463-4.18-02.patch
211df1a265f657d6a601fa56b592030b8db5856399531cf825f2e74f10e6f054  xsa463/xsa463-4.18-03.patch
f1be6433e2223acd67301b78978d24114adc5021a67ed0874e57d70e05c05fab  xsa463/xsa463-4.18-04.patch
79e050d6d9ed2cf5e3dbaff035d5cc00b727ccb5ddfcda0cf8e475f799f980bd  xsa463/xsa463-4.18-05.patch
823f7214aa1ad325b34da965fef48c6b3bf805ecf41532cdf0ccd283d1bf1708  xsa463/xsa463-4.18-06.patch
4cad1195998178c771f960d435d4d60c40dfc311a71e1d0a0be2bc651dd97076  xsa463/xsa463-4.18-07.patch
569e555814834c99b0316c1c664cf08d16807ef7d08520d7ed9c01c914dbe1dc  xsa463/xsa463-4.18-08.patch
8c28ba35b79648fde1290f307e34a6594ec091f38e8ec4d11f07377aeac82149  xsa463/xsa463-4.18-09.patch
82b4a135fe27bf581996c334a5d3306b5aecb1a5dbefcc5cd1f151bdf1237f22  xsa463/xsa463-4.19-01.patch
b158d65fe3775b84192c205adda5f461c82a76f6c58aa03e0d1958062023a4ad  xsa463/xsa463-4.19-02.patch
53135fc79a440a03141dab05f2d02e784dfed226d0faadc014b2b14fb1e6bbbe  xsa463/xsa463-4.19-03.patch
e54ea9cbf82881d21c2b5b407803eeae948b9f804e5c643431b95dc5430be345  xsa463/xsa463-4.19-04.patch
65195bc7a52aa3582fd94010b95fc39979f1aad5ac961fe625c89573276b4b40  xsa463/xsa463-4.19-05.patch
cf8e589067ee08c628fd65ee3726546a27f39dc3098283346126f6745cc2aa9a  xsa463/xsa463-4.19-06.patch
b13f01ea76a54dd6b2290afeaf6f6790892050588f128a276e408340afd6eb6a  xsa463/xsa463-4.19-07.patch
dfd48e8f925ff487c6b8c2aaeec58442a9b9bdef98461e59191cd20a2094bad9  xsa463/xsa463-4.19-08.patch
8c28ba35b79648fde1290f307e34a6594ec091f38e8ec4d11f07377aeac82149  xsa463/xsa463-4.19-09.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmczQ/UMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZA/oH/iNqbCCBE9lP+Wao3Zkzuo+krvVfd3f6am/jzp/J
DT39YZpRsZPLKGE3NKf12y88A0aFpVq2ZBE4efubx3tS1hJqf4AmQ2AOlHAAkFa4
d966jzX/8wFmuO0HnRgHI5Z3mADQEQL8TLeb8rAuPuqguusX7RoG4vvLNQmy/S9T
50CYU86AN9Of3jaUVZQp10N6O9fnV/D3X6rKWoBTOSGDMnYf4mh6FgPcntg9sKjQ
QGzlZXpEi3Bjs37vtaDi7cgQ8TDGJGVAsBC1d4IUufvlqYycjAgZN0ukOAmn9mMl
6/mDQdgGhRMJMvho57jGnaNQsjtovA7eBjtiU0tABeyh9og=
=KD+y
-----END PGP SIGNATURE-----

Download attachment "xsa463/xsa463-4.16-01.patch" of type "application/octet-stream" (4805 bytes)

Download attachment "xsa463/xsa463-4.16-02.patch" of type "application/octet-stream" (1447 bytes)

Download attachment "xsa463/xsa463-4.16-03.patch" of type "application/octet-stream" (3637 bytes)

Download attachment "xsa463/xsa463-4.16-04.patch" of type "application/octet-stream" (10592 bytes)

Download attachment "xsa463/xsa463-4.16-05.patch" of type "application/octet-stream" (1940 bytes)

Download attachment "xsa463/xsa463-4.16-06.patch" of type "application/octet-stream" (1923 bytes)

Download attachment "xsa463/xsa463-4.16-07.patch" of type "application/octet-stream" (2898 bytes)

Download attachment "xsa463/xsa463-4.16-08.patch" of type "application/octet-stream" (3169 bytes)

Download attachment "xsa463/xsa463-4.16-09.patch" of type "application/octet-stream" (3362 bytes)

Download attachment "xsa463/xsa463-4.16-10.patch" of type "application/octet-stream" (4641 bytes)

Download attachment "xsa463/xsa463-4.17-01.patch" of type "application/octet-stream" (4767 bytes)

Download attachment "xsa463/xsa463-4.17-02.patch" of type "application/octet-stream" (1417 bytes)

Download attachment "xsa463/xsa463-4.17-03.patch" of type "application/octet-stream" (3561 bytes)

Download attachment "xsa463/xsa463-4.17-04.patch" of type "application/octet-stream" (10557 bytes)

Download attachment "xsa463/xsa463-4.17-05.patch" of type "application/octet-stream" (1960 bytes)

Download attachment "xsa463/xsa463-4.17-06.patch" of type "application/octet-stream" (1943 bytes)

Download attachment "xsa463/xsa463-4.17-07.patch" of type "application/octet-stream" (2916 bytes)

Download attachment "xsa463/xsa463-4.17-08.patch" of type "application/octet-stream" (3189 bytes)

Download attachment "xsa463/xsa463-4.17-09.patch" of type "application/octet-stream" (3363 bytes)

Download attachment "xsa463/xsa463-4.17-10.patch" of type "application/octet-stream" (4593 bytes)

Download attachment "xsa463/xsa463-4.18-01.patch" of type "application/octet-stream" (4795 bytes)

Download attachment "xsa463/xsa463-4.18-02.patch" of type "application/octet-stream" (3561 bytes)

Download attachment "xsa463/xsa463-4.18-03.patch" of type "application/octet-stream" (10557 bytes)

Download attachment "xsa463/xsa463-4.18-04.patch" of type "application/octet-stream" (1960 bytes)

Download attachment "xsa463/xsa463-4.18-05.patch" of type "application/octet-stream" (1943 bytes)

Download attachment "xsa463/xsa463-4.18-06.patch" of type "application/octet-stream" (2916 bytes)

Download attachment "xsa463/xsa463-4.18-07.patch" of type "application/octet-stream" (3189 bytes)

Download attachment "xsa463/xsa463-4.18-08.patch" of type "application/octet-stream" (3363 bytes)

Download attachment "xsa463/xsa463-4.18-09.patch" of type "application/octet-stream" (4593 bytes)

Download attachment "xsa463/xsa463-4.19-01.patch" of type "application/octet-stream" (4853 bytes)

Download attachment "xsa463/xsa463-4.19-02.patch" of type "application/octet-stream" (3559 bytes)

Download attachment "xsa463/xsa463-4.19-03.patch" of type "application/octet-stream" (10573 bytes)

Download attachment "xsa463/xsa463-4.19-04.patch" of type "application/octet-stream" (1960 bytes)

Download attachment "xsa463/xsa463-4.19-05.patch" of type "application/octet-stream" (1943 bytes)

Download attachment "xsa463/xsa463-4.19-06.patch" of type "application/octet-stream" (2916 bytes)

Download attachment "xsa463/xsa463-4.19-07.patch" of type "application/octet-stream" (3189 bytes)

Download attachment "xsa463/xsa463-4.19-08.patch" of type "application/octet-stream" (3363 bytes)

Download attachment "xsa463/xsa463-4.19-09.patch" of type "application/octet-stream" (4593 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.