Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 07 Jul 2020 12:21:49 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 321 v3 (CVE-2020-15565) - insufficient
 cache write-back under VT-d

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-15565 / XSA-321
                               version 3

                 insufficient cache write-back under VT-d

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When page tables are shared between IOMMU and CPU, changes to them
require flushing of both TLBs.  Furthermore, IOMMUs may be non-coherent,
and hence prior to flushing IOMMU TLBs CPU cached also needs writing
back to memory after changes were made.  Such writing back of cached
data was missing in particular when splitting large page mappings into
smaller granularity ones.

IMPACT
======

A malicious guest may be able to retain read/write DMA access to
frames returned to Xen's free pool, and later reused for another
purpose.  Host crashes (leading to a Denial of Service) and privilege
escalation cannot be ruled out.

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2 onwards are affected.

Only x86 Intel systems are affected.  x86 AMD as well as Arm systems are
not affected.

Only x86 HVM guests using hardware assisted paging (HAP), having a
passed through PCI device assigned, and having page table sharing
enabled can leverage the vulnerability.  Note that page table
sharing will be enabled (by default) only if Xen considers IOMMU and
CPU large page size support compatible.

MITIGATION
==========

Suppressing the use of page table sharing will avoid the vulnerability
(command line option "iommu=no-sharept").  Note however that as of Xen
version 4.13 there's also a respective per-guest control ("passthrough="
libxl guest config file option).  If any guests have been created with
an explicit setting here, this setting may conflict with the addition of
the "iommu=no-sharept" Xen command line option.

Suppressing the use of large HAP pages will avoid the vulnerability
(command line options "hap_2mb=no hap_1gb=no").

Not passing through PCI devices to HVM guests will avoid the
vulnerability.

CREDITS
=======

This issue was discovered by Roger Pau Monné of Citrix.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that unlike implied by the numbering, the patches here are intended
to go on top of XSA-328's.

Note also that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa321/xsa321-?.patch        xen-unstable
xsa321/xsa321-4.13-?.patch   Xen 4.13.x
xsa321/xsa321-4.12-?.patch   Xen 4.12.x
xsa321/xsa321-4.11-?.patch   Xen 4.11.x
xsa321/xsa321-4.10-?.patch   Xen 4.10.x
xsa321/xsa321-4.9-?.patch    Xen 4.9.x

$ sha256sum xsa321* xsa321*/*
f0824c6b6e5de723301223927dbad916e0e5fbeb70f30a7e2467a04094dd840b  xsa321.meta
35ed3be5e66da0580de8fb14ee7e6c073ac60e08e022c35ef194a714698641ad  xsa321/xsa321-1.patch
b2bbb4cf397b7b532dcab120a4d678938c50ca0df6ff2724a416ac8567bd667b  xsa321/xsa321-2.patch
87d2e0446ee3fb013c8f307e71c0ddeae8122d6beee3e5d2871aa429d8d19daa  xsa321/xsa321-3.patch
38d7e715d4ed751a9ce503b61cacaf2d06c91b2eab4be95cbc3a9ae4d2a05efb  xsa321/xsa321-4.9-1.patch
e4d5238233c883ea62491f852e543550bce9d74d7239a866f5e117df46838abc  xsa321/xsa321-4.9-2.patch
d9140aee60c848e2e07a59741bab1fde4669f2627923e5d3f08b8f2971f589c4  xsa321/xsa321-4.9-3.patch
be8e320f64185bb29c52c0c1472d9d9aa1319768076ff70e691d4b40f7938a27  xsa321/xsa321-4.9-4.patch
7d83cb2d7de293f8534fa4eae1c56979984d01d8842ac06cfcb645191f27e51f  xsa321/xsa321-4.9-5.patch
99c7cf186f0fea47ef516e3d477a5f5068adaad44624b406694b9ff33268e05b  xsa321/xsa321-4.9-6.patch
9731286e9af9d83c5bf191aa5a6be0dfa34c79bca15660cd9b9e1c8e930cf974  xsa321/xsa321-4.9-7.patch
360765e859866c466dc1c9c6893dd800407d8f09b0b6f2b07fa403c290c4f0c6  xsa321/xsa321-4.10-1.patch
e4d5238233c883ea62491f852e543550bce9d74d7239a866f5e117df46838abc  xsa321/xsa321-4.10-2.patch
74b5c19a469cc7252a296cb19288f1ab53a411530d06dd364a0e3292c6aa273f  xsa321/xsa321-4.10-3.patch
be8e320f64185bb29c52c0c1472d9d9aa1319768076ff70e691d4b40f7938a27  xsa321/xsa321-4.10-4.patch
7d83cb2d7de293f8534fa4eae1c56979984d01d8842ac06cfcb645191f27e51f  xsa321/xsa321-4.10-5.patch
99c7cf186f0fea47ef516e3d477a5f5068adaad44624b406694b9ff33268e05b  xsa321/xsa321-4.10-6.patch
fb3122d23ae7381d798721fe92c622ea2d37baac369fe89b0707030315dfc896  xsa321/xsa321-4.10-7.patch
360765e859866c466dc1c9c6893dd800407d8f09b0b6f2b07fa403c290c4f0c6  xsa321/xsa321-4.11-1.patch
02e2fda4b467f10a7f38cb2a095b9da04289d9e8489db88bf542d6527b823a23  xsa321/xsa321-4.11-2.patch
04c9bc347f8d3cbb8aecede370189bba2ed47be560d1871b91eb01b962a578cc  xsa321/xsa321-4.11-3.patch
be8e320f64185bb29c52c0c1472d9d9aa1319768076ff70e691d4b40f7938a27  xsa321/xsa321-4.11-4.patch
c1b143b43b59244d5dc755f6a99de70ac39e803a7204296bb47300b9ffe26e59  xsa321/xsa321-4.11-5.patch
38456ff553416e48f2f5438c2a5a163b20929e8a58dbe811942d0d47aacfc9ea  xsa321/xsa321-4.11-6.patch
d3b6df41682e6b88898545590bee8242c00b4593773ba8070ce57a0473094189  xsa321/xsa321-4.11-7.patch
c6d00d7a988002687be9a19a2d631c3562d8ec9f02ae24efc23eb0039f9e0ddb  xsa321/xsa321-4.12-1.patch
64dd3aa18be3ccb17ab6d813df16e2025adabbe38127f2f00175a6a481651d86  xsa321/xsa321-4.12-2.patch
935346f3d0f2759699b0ccb8002abfb0dc173ec3ed616fb9042ad86751445757  xsa321/xsa321-4.12-3.patch
be8e320f64185bb29c52c0c1472d9d9aa1319768076ff70e691d4b40f7938a27  xsa321/xsa321-4.12-4.patch
c1b143b43b59244d5dc755f6a99de70ac39e803a7204296bb47300b9ffe26e59  xsa321/xsa321-4.12-5.patch
0da20aeb89e18490d60649dbfdb9c374e5861032da784a7724216c329f2cc5f0  xsa321/xsa321-4.12-6.patch
4d1954600eeca7e2cb9143ea8e32969731071f991a9a88a245c18e860c57c22c  xsa321/xsa321-4.12-7.patch
946053a8bba53d87b4164acaf3343e30689d91b505b6355d873c016166d87103  xsa321/xsa321-4.13-1.patch
f09e8cbf0cce17647d47f38137792517c8b108c3b54f57793d03578b0d5ccf99  xsa321/xsa321-4.13-2.patch
bd50ad52d23c6fc12b69ecaaf41073833cbe9b1d66a9f4e148df078e30dd45d4  xsa321/xsa321-4.13-3.patch
b181511962ce397302be8b7d5a130abe0995b3fda68b96f1afa95ae64f62dd09  xsa321/xsa321-4.13-4.patch
3286fc184fb377c1ce94344d1dbae3b78e95b0ae766eabb80b2fc612e59ffb69  xsa321/xsa321-4.13-5.patch
03a193197d176109dc586f4d6a76aebe32a4aa147e88c79d57582cf0a186c4ef  xsa321/xsa321-4.13-6.patch
ef7f9ac74313d2dabfb258b2519b2144e4feed3c85b5f705c4b1b7ba31ec316a  xsa321/xsa321-4.13-7.patch
e6d4b77063d4cd7a7242ac54b150ce42ce684ecbf46c7eaff5715976f272f4bc  xsa321/xsa321-4.patch
920771be10110a3eef8e4b8644145794d274042092f3aa14e04fa94fc1e78e8a  xsa321/xsa321-5.patch
b10c5583e01f1c26862806562f30e393960b0bbdd7cf7fca6640f4daa88fe017  xsa321/xsa321-6.patch
18da003fb05b7aebe868ff9f1c77063b8a51be3b07ab0c9fc4821bf46ca86eeb  xsa321/xsa321-7.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl8EaM8MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ35IH/iNi7HaBQrIqks4MB/0odUAIYyUEVsI4eAavChkX
oKO+IQ7sDOyjKG+VHWgMxtnZhcQk9A+qHMnfCjL7igp0HMonT5C1r38x/+Nf203+
V/mQ0h/Vj1Fz7qSk0mtX2j2zkAS7hEFnOQcT5TIkxAt5ZO3wSbPEwmt9UqR7VON9
rXFX6WyAqDhO7Hw2lngPXc2VGoORHqybII4XZGb24TO7q9U4vFhBR0ZVgWKBo1pt
82gl2h2jQn8IA0Rrack+ucfsoD9D+E3AQYtipZVd9PI/SJNsZHvHJdaPxBf2CUqO
Jb1e5MMXRG9Htpe0GPu8Y0TSUAUCoHqBsJTE1wkn4hun5SQ=
=/CNm
-----END PGP SIGNATURE-----

Download attachment "xsa321.meta" of type "application/octet-stream" (3295 bytes)

Download attachment "xsa321/xsa321-1.patch" of type "application/octet-stream" (1649 bytes)

Download attachment "xsa321/xsa321-2.patch" of type "application/octet-stream" (7423 bytes)

Download attachment "xsa321/xsa321-3.patch" of type "application/octet-stream" (3949 bytes)

Download attachment "xsa321/xsa321-4.9-1.patch" of type "application/octet-stream" (1376 bytes)

Download attachment "xsa321/xsa321-4.9-2.patch" of type "application/octet-stream" (6052 bytes)

Download attachment "xsa321/xsa321-4.9-3.patch" of type "application/octet-stream" (2989 bytes)

Download attachment "xsa321/xsa321-4.9-4.patch" of type "application/octet-stream" (1184 bytes)

Download attachment "xsa321/xsa321-4.9-5.patch" of type "application/octet-stream" (793 bytes)

Download attachment "xsa321/xsa321-4.9-6.patch" of type "application/octet-stream" (3140 bytes)

Download attachment "xsa321/xsa321-4.9-7.patch" of type "application/octet-stream" (6147 bytes)

Download attachment "xsa321/xsa321-4.10-1.patch" of type "application/octet-stream" (1323 bytes)

Download attachment "xsa321/xsa321-4.10-2.patch" of type "application/octet-stream" (6052 bytes)

Download attachment "xsa321/xsa321-4.10-3.patch" of type "application/octet-stream" (2989 bytes)

Download attachment "xsa321/xsa321-4.10-4.patch" of type "application/octet-stream" (1184 bytes)

Download attachment "xsa321/xsa321-4.10-5.patch" of type "application/octet-stream" (793 bytes)

Download attachment "xsa321/xsa321-4.10-6.patch" of type "application/octet-stream" (3140 bytes)

Download attachment "xsa321/xsa321-4.10-7.patch" of type "application/octet-stream" (6147 bytes)

Download attachment "xsa321/xsa321-4.11-1.patch" of type "application/octet-stream" (1323 bytes)

Download attachment "xsa321/xsa321-4.11-2.patch" of type "application/octet-stream" (6389 bytes)

Download attachment "xsa321/xsa321-4.11-3.patch" of type "application/octet-stream" (2989 bytes)

Download attachment "xsa321/xsa321-4.11-4.patch" of type "application/octet-stream" (1184 bytes)

Download attachment "xsa321/xsa321-4.11-5.patch" of type "application/octet-stream" (795 bytes)

Download attachment "xsa321/xsa321-4.11-6.patch" of type "application/octet-stream" (3128 bytes)

Download attachment "xsa321/xsa321-4.11-7.patch" of type "application/octet-stream" (6153 bytes)

Download attachment "xsa321/xsa321-4.12-1.patch" of type "application/octet-stream" (1316 bytes)

Download attachment "xsa321/xsa321-4.12-2.patch" of type "application/octet-stream" (6324 bytes)

Download attachment "xsa321/xsa321-4.12-3.patch" of type "application/octet-stream" (2991 bytes)

Download attachment "xsa321/xsa321-4.12-4.patch" of type "application/octet-stream" (1184 bytes)

Download attachment "xsa321/xsa321-4.12-5.patch" of type "application/octet-stream" (795 bytes)

Download attachment "xsa321/xsa321-4.12-6.patch" of type "application/octet-stream" (3128 bytes)

Download attachment "xsa321/xsa321-4.12-7.patch" of type "application/octet-stream" (5603 bytes)

Download attachment "xsa321/xsa321-4.13-1.patch" of type "application/octet-stream" (1316 bytes)

Download attachment "xsa321/xsa321-4.13-2.patch" of type "application/octet-stream" (6322 bytes)

Download attachment "xsa321/xsa321-4.13-3.patch" of type "application/octet-stream" (2911 bytes)

Download attachment "xsa321/xsa321-4.13-4.patch" of type "application/octet-stream" (1184 bytes)

Download attachment "xsa321/xsa321-4.13-5.patch" of type "application/octet-stream" (794 bytes)

Download attachment "xsa321/xsa321-4.13-6.patch" of type "application/octet-stream" (3119 bytes)

Download attachment "xsa321/xsa321-4.13-7.patch" of type "application/octet-stream" (5603 bytes)

Download attachment "xsa321/xsa321-4.patch" of type "application/octet-stream" (1575 bytes)

Download attachment "xsa321/xsa321-5.patch" of type "application/octet-stream" (1243 bytes)

Download attachment "xsa321/xsa321-6.patch" of type "application/octet-stream" (3784 bytes)

Download attachment "xsa321/xsa321-7.patch" of type "application/octet-stream" (6848 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.