Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1iNxUK-0002k5-SN@xenbits.xenproject.org>
Date: Fri, 25 Oct 2019 11:10:36 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 291 v3 (CVE-2019-17345) - x86/PV: page type
 reference counting issue with failed IOMMU update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-17345 / XSA-291
                              version 3

  x86/PV: page type reference counting issue with failed IOMMU update

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

When an x86 PV domain has a passed-through PCI device assigned, IOMMU
mappings may need to be updated when the type of a particular page
changes.  Such an IOMMU operation may fail.  In the event of failure,
while at present the affected guest would be forcibly crashed, the
already recorded additional type reference was not dropped again.  This
causes a bug check to trigger while cleaning up after the crashed
guest.

IMPACT
======

Malicious or buggy x86 PV guest kernels can mount a Denial of Service
(DoS) attack affecting the whole system.

VULNERABLE SYSTEMS
==================

Xen versions from 4.8 onwards are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only x86 PV guests can exploit the vulnerability.  x86 HVM and PVH
guests cannot exploit the vulnerability.

Only guests which are assigned a physical device can exploit this
vulnerability.  Guests which are not assigned physical devices cannot
exploit this vulnerability.

MITIGATION
==========

Running only HVM or PVH guests avoids the vulnerability.

Not passing through PCI devices to PV guests also avoids the
vulnerability.

CREDITS
=======

This issue was discovered by Igor Druzhinin and Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa291.patch           xen-unstable
xsa291-4.11.patch      Xen 4.11.x, Xen 4.10.x
xsa291-4.9.patch       Xen 4.9.x, Xen 4.8.x

$ sha256sum xsa291*
01883c11ae45a5771644270445e463538a61d98c66adbba852de74ccd272eae9  xsa291.meta
fb5f2a75ba113f21e9cb2dfbc22520495c69a4fef631c030a4834c680045e587  xsa291.patch
299bb4913e7ddb46ce90f415f91ee5e5480050631281c87e1a764b66fb116d89  xsa291-4.9.patch
16087ba5c59b9644f4f61c0c7fa124d9e04e88089b235aaae91daa04cdf1b8a1  xsa291-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2y1+EMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZlLUIAIIHkQgn80yjzaDnIGp0iFhcoTjDGlwk47MaQiJ2
QbmVstpVbg4ZUuPmxJ6eWTJXoMbdelthA9klXX9zc0LWEOrMwWeykAxkWB8uVj+b
URN6fJrLu73U2tqjmPT/P63FVgETXDbFGQcjsSkZ17VHcblmsysCUPmjLWn4r3Tc
/lCXcEjwHYV2HnYUBrXO2biDVChRt3ClLhJZW9pfvI8hIzCqL+tdtNuvvqVSwR3Y
SzR75k2lKwkmHQju2rpL00mNsyHsUOl3tDVeHTQa9V7yW4WO4vSb83oZExz9ChgH
g9ro6epGfGYCQYB9mNSaQbOM3LhOrWeiR1i3nUcR0qRG1wY=
=r9AC
-----END PGP SIGNATURE-----

Download attachment "xsa291.meta" of type "application/octet-stream" (1790 bytes)

Download attachment "xsa291.patch" of type "application/octet-stream" (1829 bytes)

Download attachment "xsa291-4.9.patch" of type "application/octet-stream" (1863 bytes)

Download attachment "xsa291-4.11.patch" of type "application/octet-stream" (1847 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.