==================================================================== CERT-Renater Note d'Information No. 2019/VULN351 _____________________________________________________________________ DATE : 06/11/2019 HARDWARE PLATFORM(S): ARM, x86. OPERATING SYSTEM(S): Systems running Xen. ===================================================================== https://xenbits.xen.org/xsa/advisory-301.html https://xenbits.xen.org/xsa/advisory-302.html https://xenbits.xen.org/xsa/advisory-303.html https://xenbits.xen.org/xsa/advisory-299.html https://xenbits.xen.org/xsa/advisory-298.html _____________________________________________________________________ Xen Security Advisory CVE-2019-18423 / XSA-301 version 3 add-to-physmap can be abused to DoS Arm hosts UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= p2m->max_mapped_gfn is used by the functions p2m_resolve_translation_fault() and p2m_get_entry() to sanity check guest physical frame. The rest of the code in the two functions will assume that there is a valid root table and check that with BUG_ON(). The function p2m_get_root_pointer() will ignore the unused top bits of a guest physical frame. This means that the function p2m_set_entry() will alias the frame. However, p2m->max_mapped_gfn will be updated using the original frame. It would be possible to set p2m->max_mapped_gfn high enough to cover a frame that would lead p2m_get_root_pointer() to return NULL in p2m_get_entry() and p2m_resolve_translation_fault(). Additionally, the sanity check on p2m->max_mapped_gfn is off-by-one allowing "highest mapped + 1" to be considered valid. However, p2m_get_root_pointer() will return NULL. The problem could be triggered with a specially crafted hypercall XENMEM_add_to_physmap{, _batch} followed by an access to an address (via hypercall or direct access) that passes the sanity check but cause p2m_get_root_pointer() to return NULL. IMPACT ====== A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of Service (DoS). VULNERABLE SYSTEMS ================== Xen version 4.8 and newer are vulnerable. Only Arm systems are vulnerable. x86 systems are not affected. MITIGATION ========== There are no mitigations. CREDITS ======= This issue was discovered by Julian Grall of Arm. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa301-master-*.patch xen-unstable to Xen 4.12 xsa301-4.11-*.patch Xen 4.11 to Xen 4.8 $ sha256sum xsa301* c3f334d3de1fd7385a5b73edca1f979b6027595d8aa2a3fce451ee5a37d57662 xsa301.meta 1f6f76e0da4bd8cbce38a127d446593058a76565bade57672d6a00357fdc64fa xsa301-4.11-1.patch b1ea7b323f509a6150983ece24ecd38f3a9ea97a11360d7a36f715ebaf85e8b1 xsa301-4.11-2.patch 67fffdd5f827f783e8752ca779a3234d30f26df5c42844c5b2b4a34618d7a0c2 xsa301-4.11-3.patch 3dba13afd3449b85215058c596f6a60a255e5a11c6865cbcaa05e9768f535b46 xsa301-master-1.patch dbf952c2333807d5ee0fe4cccb069ddfda87e295c83a43ec46621b486b19f6e8 xsa301-master-2.patch ad544e5e2da130540d5475954b1512fc00743773cad382c4c0451fd91536287d xsa301-master-3.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html _____________________________________________________________________ Xen Security Advisory CVE-2019-18424 / XSA-302 version 5 passed through PCI devices may corrupt host memory after deassignment UPDATES IN VERSION 5 ==================== Public release. The patches are broken on ARM (which is not affected by the issue). Don't apply the patches on ARM. See Resolution. ISSUE DESCRIPTION ================= When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the guest. However, when the guest domain is torn down, or the device is deassigned, the device is assigned back to dom0, thus allowing any in-flight DMA to potentially target critical host data. IMPACT ====== An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. VULNERABLE SYSTEMS ================== Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable. MITIGATION ========== In some configurations, use of passthrough can be replaced with a higher-level protocol such as Xen PV block or network devices. CREDITS ======= This issue was discovered by Paul Durrant of Citrix. RESOLUTION ========== Applying the appropriate attached patchset should resolve this issue. For Xen 4.9 and earlier at least the first patch of XSA-299 (whitespace cleanup) is also needed for XSA-302 to apply. Unfortunately, at the time of writing, these patches have not been tested to our satisfaction. The patches are known to break on ARM. ARM is not affected by the issue, so do not apply these patches on ARM systems. (On x86, there is a latent bug but the patches are good to use.) xsa302/*.patch xen-unstable xsa302-4.12/*.patch Xen 4.12.x xsa302-4.11/*.patch Xen 4.11.x xsa302-4.10/*.patch Xen 4.10.x xsa302-4.9/*.patch Xen 4.9.x, Xen 4.8.x $ sha256sum xsa302* xsa302*/* d722d1bed2440a5d35f0fd041e4a77966b7d26980a0f874d38d48710db0b9ebd xsa302.meta 703faced133ca21142f484acd8cf16578258e12ae0cf1413a5d9252f1e099465 xsa302-4.9/0001-IOMMU-add-missing-HVM-check.patch edb4753b91fa66e2f4b51d0075d106fc28d8451241ba482a33c2db4be53f21d1 xsa302-4.9/0002-passthrough-quarantine-PCI-devices.patch 3c79107d8fd94807543443192fb31f3d188912c208f4dbda61f1f2ff92701afc xsa302-4.10/0001-IOMMU-add-missing-HVM-check.patch 2a76add5a907baf0217e57e2a4dca91a6a8ce84c67b9ff87be1bcbb1f29efdc6 xsa302-4.10/0002-passthrough-quarantine-PCI-devices.patch a75723160c52c2c65d563905d0904b587beda1cfb6ca3ee18fb70e79818d3faa xsa302-4.11/0001-IOMMU-add-missing-HVM-check.patch 48b9dae7adbe2438dcaa00f969532d835061cb4a06ab2bf47ada2afb644de4c5 xsa302-4.11/0002-passthrough-quarantine-PCI-devices.patch a21efa6cae14e87318ca3927f0ac310aee2dd1323f2dbf040c0fe80789d78712 xsa302-4.12/0001-IOMMU-add-missing-HVM-check.patch 0a95f750ad1d5eb1838b6488e4ac188acdc2e568eb21b26306d5af2980bffb58 xsa302-4.12/0002-passthrough-quarantine-PCI-devices.patch 11d7015960eab265b1f9ce372dd14597b6c4cc7907d77ed3eed14d161dd50e5c xsa302/0001-passthrough-quarantine-PCI-devices.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the *patches* described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Also: deployment of the reconfiguration *mitigation* is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this reconfiguration reveals that a PCI passthrough vulnerability is involved. Deployment of that migitation is permitted only AFTER the embargo ends. Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html _____________________________________________________________________ Xen Security Advisory CVE-2019-18422 / XSA-303 version 4 ARM: Interrupts are unconditionally unmasked in exception handlers UPDATES IN VERSION 4 ==================== Fix typoes in the series and add more reviewed-by tag. Public release. ISSUE DESCRIPTION ================= When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. IMPACT ====== A malicious guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. This could lead to data corruption, denial of service, or possibly even privilege escalation. However a precise attack technique has not been identified. VULNERABLE SYSTEMS ================== All ARM systems are vulnerable. x86 systems are not vulnerable. On some platforms this issue could possibly be exploited by an unprivileged userspace attacker. CREDITS ======= This issue was discovered by Julian Grall of Arm. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa303/*.patch xen-unstable .. Xen 4.9 xsa303-4.8/*.patch Xen 4.8 $ sha256sum xsa303* xsa303*/* 66b3eb28cfa633999da7480a37cd919293eb87aa730e7bc58b12c47bcdb0c9c0 xsa303.meta 7769eee9b876cdb7dde2ec664d34a5067f9b639d5c543ee89ff2eda818f04cab xsa303-4.8/0001-Revert-xen-arm32-entry-Consolidate-DEFINE_TRAP_ENTRY.patch f1337aa8c4b38f4ab61e7206c7bd8f5c782583947d9b9e1e8c6f139db73ca2cb xsa303-4.8/0002-xen-arm32-entry-Consolidate-DEFINE_TRAP_ENTRY-macros.patch 160ea6acfba85faf1cbb670b0a3873f025c0dab388f73018a22a61104e1a5fe1 xsa303-4.8/0003-xen-arm32-entry-Fold-the-macro-SAVE_ALL-in-the-macro.patch 2cc1e3282263f03c6b9c6e05039f84173b8dbc893a2cd88f80ce2275ff7478d8 xsa303-4.8/0004-xen-arm32-Don-t-blindly-unmask-interrupts-on-trap-wi.patch 63c4a90c45ae28032e0149353cafd495cce5caa8c84ad022d21b8078710e996d xsa303-4.8/0005-xen-arm64-Don-t-blindly-unmask-interrupts-on-trap-wi.patch 4da48a29aaad85a410021952b2b3cb4dae14365c688e724ed7fc80feea1334df xsa303/0001-xen-arm32-entry-Split-__DEFINE_ENTRY_TRAP-in-two.patch 99773cbfb6f0df5f0c83477c9dcd39127cb361213455bd2cb1f6bcfe4566d5a2 xsa303/0002-xen-arm32-entry-Fold-the-macro-SAVE_ALL-in-the-macro.patch 9e8241c311aa8da7fcb1da09b9d8b5a55c26a10f02355e37e97d1e7a3b6db7be xsa303/0003-xen-arm32-Don-t-blindly-unmask-interrupts-on-trap-wi.patch 4c9bc0d0b27eff06f65f1a679263ffbcc8aa4c65117840284dc115ae49e7966d xsa303/0004-xen-arm64-Don-t-blindly-unmask-interrupts-on-trap-wi.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html _______________________________________________________________________ Xen Security Advisory CVE-2019-18421 / XSA-299 version 4 Issues with restartable PV type change operations UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= To avoid using shadow pagetables for PV guests, Xen exposes the actual hardware pagetables to the guest. In order to prevent the guest from modifying these page tables directly, Xen keeps track of how pages are used using a type system; pages must be "promoted" before being used as a pagetable, and "demoted" before being used for any other type. Xen also allows for "recursive" promotions: i.e., an operating system promoting a page to an L4 pagetable may end up causing pages to be promoted to L3s, which may in turn cause pages to be promoted to L2s, and so on. These operations may take an arbitrarily large amount of time, and so must be re-startable. Unfortunately, making recursive pagetable promotion and demotion operations restartable is incredibly complicated, and the code contains several races which, if triggered, can cause Xen to drop or retain extra type counts, potentially allowing guests to get write access to in-use pagetables. IMPACT ====== A malicious PV guest administrator may be able to escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== All x86 systems with untrusted PV guests are vulnerable. HVM and PVH guests cannot exercise this vulnerability. ARM systems are not vulnerable because ARM guests are all PVH. All security-supported Xen versions are vulnerable. Note that these attacks require very precise timing, which may be difficult to exploit in practice. MITIGATION ========== Running only HVM or PVH guests will avoid this vulnerability. Running PV guests in "shim" mode will also avoid this vulnerability. CREDITS ======= This issue was discovered by George Dunlap of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa299/*.patch xen-unstable xsa299-4.12/*.patch Xen 4.12.x xsa299-4.11/*.patch Xen 4.11.x xsa299-4.10/*.patch Xen 4.10.x xsa299-4.9/*.patch Xen 4.9.x xsa299-4.8/*.patch Xen 4.8.x $ sha256sum xsa299* xsa299*/* 687fb0f3273a424726edb4d249b79cfc45d1ef7000610405b11eaac49baecaa8 xsa299.meta 6c8f46e57f61a5e1e2e5e628a32e4c9ae144218ce475309811bb9900d3fdda48 xsa299-4.8/0001-x86-mm-Clean-up-trailing-whitespace.patch 3409e71ed7bc199bcda33892ea6f70fe257c4f3906d74b4a6f4352415daeedb0 xsa299-4.8/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch 1179fe0f1a591c542478bf8614501f8ddb67e342d7d452f6bff3b6a999f2b20f xsa299-4.8/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch bc0352a1d82079c4072cc3871d0d397f7abb3c0480dfc3c5c542091d2ec7d7b0 xsa299-4.8/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch 2b96857ef3e0f8259df7ad01600f1c30ca234668d6f26744c2ae0d3d7dded090 xsa299-4.8/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch fe119a8255e23a86845fa1ac5f93afa25acdaff705061c172ea9e0589b0bc1a4 xsa299-4.8/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch 562415d5fdb4e173443a2aa211094743a722ef1fe5a2d19c59cb3d329e101984 xsa299-4.8/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch 454296ac46ea5feea8866101e7c953bf6dbd37a5275f7b006eeb6d22cbae387d xsa299-4.8/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch f203a70da67f304c2ede516ef989b58ace6774eeee4eca919631c75f09860ba3 xsa299-4.8/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch 1f4877c10ead99c51d822d29ebaed9774cdb97cca869fe1a1ccf905540e291c7 xsa299-4.8/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch 733d260d731cce9902d66dc5b42ae9d10a319acda6dadcc426b6dfeba6e917da xsa299-4.8/0011-x86-mm-Fix-nested-de-validation-on-error.patch cd105c15e2fd915644cb7d31000df60e51d1054a807b575d5436ccb87c1e9a18 xsa299-4.8/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch d8db456679e652f5a33a0a448d379e3a88b0cf7ce1415ee46007873cfb6f49b7 xsa299-4.9/0001-x86-mm-Clean-up-trailing-whitespace.patch e54df901b5f13d70643938ff365a09a43725637511251efc3ac55c45b80016f5 xsa299-4.9/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch 8da540f32ff77f5871f646a6ef2847bc3adc2aecfa4698dcec4335b72e758616 xsa299-4.9/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch e97044ffb5edcc7f1094dd47e365f2f29971cacf784d8aaa9a0e42f770ca899d xsa299-4.9/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch 53977fd090d488f484e6191c6b68cbc59f771d8cf4aeb230b7b9f8ddc891a58e xsa299-4.9/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch d10b9d434d341ac380e8a9c6fc4b3ddec8baf8dec9d565c2e66867f8d05497ba xsa299-4.9/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch 7e01debdbe59cfa734e63b5c9d5c2799aa25f961f0d065ce8c8bdb64d577b164 xsa299-4.9/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch 12f0732907547367645db6300cff959f15118b91503165dc2c66083769ac7e56 xsa299-4.9/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch 06044bf56130dd845e08ed9af75f4aade186d48b1cea88d7862026bbe0bf51af xsa299-4.9/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch 2fea704a716d6ff8a589fba7bf5d71443e2b52f41f591f8173d50dcb3ba9a94b xsa299-4.9/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch 4bcfd94bdd77726e8ea1069081f5f544705b22752a185ee4e1f58c730a902b74 xsa299-4.9/0011-x86-mm-Fix-nested-de-validation-on-error.patch 580fa03182e40f122e3d21a5c71183b6a9500eae2afba490cf43514b75e15062 xsa299-4.9/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch c3bde8f42e75c0f98c22938267f947d4729e7372510dededa3750699ac8cb2f5 xsa299-4.10/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch 0794fd0d20d71367977926f2393e354d4a43452a51f421616fa413acd68bf24a xsa299-4.10/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch 0591cd2fa566fcec43e2aa6e1cfb92629c816e55c7548b2534c5a7a84505cd06 xsa299-4.10/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch 736966986c43bcdfcbf337fc87af6f430458bad5d105b33f7dfa0a1eb72f2416 xsa299-4.10/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch 416db71e950838dbf5d024ae9ba8bb6e6685314608543fd8df0516db7786b811 xsa299-4.10/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch 7d84aaf129401faa863565df084e776413dd07ec440c1a67db961b8a147651a4 xsa299-4.10/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch 59d37dc3cfd811bcbbedb72ca9d80eb2d460dce4e373e581c88fdb6b874b4111 xsa299-4.10/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch 746156888f0dc4a75164cd668dd05fdf3d9b11cc96205785384f84ebcd1df4ae xsa299-4.10/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch bcc54d2b0653e584c89c0d219d5cd82e94c2629033ea8f1b22dfd3f373267bf5 xsa299-4.10/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch 4829ba66647d344f1eaad632fddab4c8c51db513d1ae18385dec195b86e76936 xsa299-4.10/0010-x86-mm-Fix-nested-de-validation-on-error.patch 7ad0b06d2748da4e4b317f4cc8c829c7fb451bf86ad778d97d231acff7cfd940 xsa299-4.10/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch 225fec9475b5992338ce19da982a759b3a551c653dbbb280295b00018a107d28 xsa299-4.11/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch fa910f573bde107b90fef4568fa500bf875d7303ac93642ed8a135d639bf7f0e xsa299-4.11/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch f5fcf8ab6940d85fe43de61463ff00bcf17a22b94da4f2b28fa45d714b0255d0 xsa299-4.11/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch e1e49d767f08889b518423935869332a40f87e824bb93a0c2707f1f99e9f0328 xsa299-4.11/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch c0f5ce00516491b1f3d2eccf25fbd67d409d855e3d4b423490f1bc37b4477e87 xsa299-4.11/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch 4562543c497c17cc3a793f67a75824043ca3dea69ccc456bf9f5546825282f0e xsa299-4.11/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch 90bc777691225eb4c55804702c2cd7f2913317b13334c27b9437ee60be672cca xsa299-4.11/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch 7903c9599ee47dc05647e5ec7a6ce3fe5e6331b527551286897429e97cf56f61 xsa299-4.11/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch c1ae9bad93e11a4a9253265318b67b45865e566b17ddd7f167bb88197a9b700c xsa299-4.11/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch 49a21bd396ab4af6b82aaa38dac733f4fde806587b5b126cd656f725b9c8eee7 xsa299-4.11/0010-x86-mm-Fix-nested-de-validation-on-error.patch 09df369fa52335e3e560af593d4e9843bab1da24aa1b4c905f9ea1ce8441af6e xsa299-4.11/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch d27f07eb0020181487ec9dda15c6331125d6b0505fdce1ae67c0a9b524159e11 xsa299-4.12/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch 00c2fb77366c427e226315cfb1cda1c67ce495ec8a0b400ff30924bc399bf283 xsa299-4.12/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch bc88c216e438af9e1dddf1e5374fd1c78c9867e8908ba3016c72d999aebaea4b xsa299-4.12/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch cc6416c6311be82a2b89d5b14ceb9ecc6cb92ce9286bb03b91083c661186d28d xsa299-4.12/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch 732fbb80a6fc6364945e1b6534c921d503e2369c3cd25f425096549b71f75fa0 xsa299-4.12/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch 20e37b3712b66111193bed02b368aff2ee0e7896dd55b5e6c928fbc97ec618b3 xsa299-4.12/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch 20bec098f3ad474093ce33e4ae5e8cee5ff9f8504107c8a4ff76f2731abbab13 xsa299-4.12/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch 71addb8014eeb51a6adc4377aaa4b74ac611a28a6f62865f7020a536a1a9cbc5 xsa299-4.12/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch 71bd7d75f7878571d4ea4351ea10f487a1c1a86765f67c85a25308d5df24a40e xsa299-4.12/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch 1e58d49f72c1eb158db08a17a3805e2144c0d468b6388a9a8795b67f80a699a5 xsa299-4.12/0010-x86-mm-Fix-nested-de-validation-on-error.patch 67594f941f8cecbc0ff87dfedbdbd43f4e4234d049c1a5d62143153ae96954c1 xsa299-4.12/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch 08179d90ea327bca328f3a45198c31166df2aa6fb459b148dd74c716c1d5bb88 xsa299/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch d37e7b4dd3c9d7da14a287d9fe6807f81d95bba8bdab79b729ed5aa3350fad70 xsa299/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch 660fc01fb09aee7628d65d7893ec11bf77cfe79543e390656b59f0e60334d058 xsa299/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch 2dc6ad4233ec572ba21632ab80b6149541f3169affb792e31930e3f7c6e72fc6 xsa299/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch 175fd90422bf00879de2129cd1a86bbdeb1c15ff344d286ab9634bc3f1512c03 xsa299/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch afa26c8850085412a787d7f0cb3031f15181ee2c9b3b1a9b4a007bff7404457f xsa299/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch 6f0502b2377db2115faf9c7bcbf35898013dcec74170950c3aa7a0586ff1e174 xsa299/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch 787c3eeaadfed46947fb17773fa8f9e9efe891658d7460eaf5291a4ca6155123 xsa299/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch 77341c4d0ab62fbb7090d2a6b60902467563ae470ac0807ef40a3ac791d2933a xsa299/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch e489f49f8783fb388161365072da585c049e05d80306cf963cec5ecbb3bc67c7 xsa299/0010-x86-mm-Fix-nested-de-validation-on-error.patch 17b9ae71c150747bff4d57eee8a918b1961e880e25ae2b9c0dbe933e005cb1a0 xsa299/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch $ NOTE ON RESOLUTION ================== Even with these fixes, the code is still very complicated. After the embargo is up, we plan to try getting rid of automatic recursive pagetable promotion entirely, instead requiring guest operating systems to promote pages one-by-one themselves. This would obviate the need to have restartable operations, greatly simplifying the reference counting code. DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html _______________________________________________________________________ Xen Security Advisory CVE-2019-18425 / XSA-298 version 3 missing descriptor table limit checking in x86 PV emulation UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT. (Most OSes don't install any LDT by default). IMPACT ====== 32-bit PV guest user mode can elevate its privileges to that of the guest kernel. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2 onwards are affected. Only 32-bit PV guest user mode can leverage this vulnerability. HVM, PVH, as well as 64-bit PV guests cannot leverage this vulnerability. Arm systems are unaffected. MITIGATION ========== Running only HVM, PVH, or 64-bit PV guests will avoid this vulnerability. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa298.patch xen-unstable, Xen 4.12.x xsa298-4.11.patch Xen 4.11.x xsa298-4.10.patch Xen 4.10.x xsa298-4.9.patch Xen 4.9.x, Xen 4.8.x, Xen 4.7.x $ sha256sum xsa298* 82c6f626732f99711212155b280270fe2f6683460299b1a6fc3f70b3932970ce xsa298.meta 3f422ad83abb54fe6afed460a5982cf1faa1717e51ab19fbf2375be1b5f8f4a3 xsa298.patch da8d5bad97a46c072dd1715c96401b145cecda14f0303043e6dca313e7ffff0c xsa298-4.9.patch 92dba14b6a208379c2569b9c1c11438da384ec47db2508b4761af30d74a9403d xsa298-4.10.patch d2d8eb5de5601b88f2a6503ecf6bb83207e4b2f17833d61a74fcd185ac7f5a71 xsa298-4.11.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================