=====================================================================

                                CERT-Renater

                     Note d'Information No. 2024/VULN182
_____________________________________________________________________

DATE                : 09/04/2024

HARDWARE PLATFORM(S): x86 systems.

OPERATING SYSTEM(S): Systems running Xen versions from at least 3.2
                                          onwards.

=====================================================================
https://xenbits.xen.org/xsa/advisory-454.html
_____________________________________________________________________



             Xen Security Advisory CVE-2023-46842 / XSA-454
                                version 2

              x86 HVM hypercalls may trigger Xen bug check

UPDATES IN VERSION 2
====================

Avoid new Misra violation in 1st staging patch.

Public release.

ISSUE DESCRIPTION
=================

Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit
and other modes.  This in particular means that they may set
registers used to pass 32-bit-mode hypercall arguments to values
outside of the range 32-bit code would be able to set them to.

When processing of hypercalls takes a considerable amount of time,
the hypervisor may choose to invoke a hypercall continuation.  Doing
so involves putting (perhaps updated) hypercall arguments in
respective registers.  For guests not running in 64-bit mode this
further involves a certain amount of translation of the values.

Unfortunately internal sanity checking of these translated values
assumes high halves of registers to always be clear when invoking a
hypercall.  When this is found not to be the case, it triggers a
consistency check in the hypervisor and causes a crash.

IMPACT
======

A HVM or PVH guest can cause a hypervisor crash, causing a Denial of
Service (DoS) of the entire host.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been inspected.

Only x86 systems are vulnerable.  Arm systems are not vulnerable.

Only HVM or PVH guests can leverage the vulnerability.  PV guests
cannot leverage the vulnerability.

MITIGATION
==========

Not using HVM / PVH guests will avoid the vulnerability.

CREDITS
=======

This issue was discovered by Manuel Andreas of Technical University
of Munich.

RESOLUTION
==========

Applying either of the attached patches from the appropriate set
resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa454-?.patch           xen-unstable
xsa454-4.18-?.patch      Xen 4.18.x
xsa454-4.17-?.patch      Xen 4.17.x
xsa454-4.16-?.patch      Xen 4.16.x - Xen 4.15.x

$ sha256sum xsa454*
2df9af16605b634d3585a30f673b4cf9e327889cfd8714a697de215c3f809fb5 
xsa454-1.patch
f2ed0468350f2c2e0285a546ab5c722e928add5425b05bff663c632ada09ee3b 
xsa454-2.patch
4106f323251e262d30319c61de7c876f2b18edfcce38cc70501fb3c22677ff0a 
xsa454-4.16-1.patch
962ea7d8f3e378ec775619e44525f66768369423b56113420763651dbbf6bc1e 
xsa454-4.16-2.patch
95b299237d13ae27f643d804eb40b600b9b8ef056953686d4f770f03c46c42c8 
xsa454-4.17-1.patch
7af290595cbea3153e49344827095c874e6a8d208d8c843e62ee0787b0d7d46d 
xsa454-4.17-2.patch
999006e7917c996741dfc332d28e7b2ca8376f8e9d5b38161cbd5988528d0238 
xsa454-4.18-1.patch
f2ed0468350f2c2e0285a546ab5c722e928add5425b05bff663c632ada09ee3b 
xsa454-4.18-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though
it is then no longer applicable.  This is to enable the community to
have oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
   http://www.xenproject.org/security-policy.html

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================