Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 07 Jul 2020 12:24:05 +0000
From: security team <>
CC: security team <>
Subject: Xen Security Advisory 328 v3 (CVE-2020-15567) - non-atomic
 modification of live EPT PTE

Hash: SHA256

            Xen Security Advisory CVE-2020-15567 / XSA-328
                               version 3

                non-atomic modification of live EPT PTE


Public release.


When mapping guest EPT (nested paging) tables, Xen would in some
circumstances use a series of non-atomic bitfield writes.

Depending on the compiler version and optimisation flags, Xen might
expose a dangerous partially-written PTE to the hardware, which an
attacker might be able to race to exploit.


A guest administrator or perhaps even unprivileged guest user might
be able to cause denial of service, data corruption, or privilege


Only systems using Intel CPUs are vulnerable.  Sytems using AMD CPUs,
and Arm systems, are not vulnerable.

Only systems using nested paging ("hap", aka nested paging, aka in
this case Intel EPT) are vulnerable.

Only HVM and PVH guests can exploit the vulnerability.

The presence and scope of the vulnerability depends on the precise
optimisations performed by the compiler used to build Xen.  If the
compiler generates (a) a single 64-bit write, or (b) a series of
read-modify-write operations which are in the same order as the source
code, the hypervisor is not vulnerable.

For example, in one test build with gcc 8.3 with normal settings, the
compiler generated multiple (unlocked) read-modify-write operations in
source code order, which did *not* constitute a vulnerability.

We have not been able to survey compilers; consequently we cannot say
which compiler(s) might produce vulnerable code (with which code
generation options).  The code clearly violates the C rules.  So we
have chosen to issue this advisory.


Running only PV guests will avoid this vulnerability.

Switching to shadow paging (e.g. using the "hap=0" xl domain domain
configuration file parameter) will avoid exposing the vulnerability to
those guests.

Manual inspection of the generated assembly code might allow a
suitably qualified person to say that a particular build is not

There is no less broad mitigation.


This issue was discovered by Jan Beulich of SUSE.

For patch 1:
Reviewed-by: Roger Pau Monné <>

For patch 2:
From: Roger Pau Monné <>
Reported-by: Jan Beulich <>
Signed-off-by: Roger Pau Monné <>


Applying the appropriate pair of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa328/xsa328-?.patch        xen-unstable
xsa328/xsa328-4.13-?.patch   Xen 4.13.x
xsa328/xsa328-4.12-?.patch   Xen 4.12.x
xsa328/xsa328-4.11-?.patch   Xen 4.11.x, Xen 4.10.x
xsa328/xsa328-4.9-?.patch    Xen 4.9.x

$ sha256sum xsa328* xsa328*/*
61ceb3d039c3ebb06f480a17593b367b01e7c1e5cc3669d77caecb704fbc7071  xsa328.meta
cae53f7e6c46fe245790036279bc50eaa10e4271790e871ad8a7d446629b2e12  xsa328/xsa328-1.patch
d61354a992869451cd7a3c92254672b5e253d1a994135cf9b4a5c784be0a07ef  xsa328/xsa328-2.patch
018412fba6f153c1d6b03fc2fa6f3ac381060efe6a8651404462028d24c830a8  xsa328/xsa328-4.9-1.patch
f3deb26e0ce27c385ab16065a0ba67b86a228afd949c0a6a78b9d48366fc2554  xsa328/xsa328-4.9-2.patch
a600ecef784485e8608cd4549f756ffa24705747a4d876147f9ba64fff118580  xsa328/xsa328-4.11-1.patch
f3deb26e0ce27c385ab16065a0ba67b86a228afd949c0a6a78b9d48366fc2554  xsa328/xsa328-4.11-2.patch
d608921359e561f9c594c9f8f7ee02432518a229ecea638d472ab91227d705ec  xsa328/xsa328-4.12-1.patch
a51162c019e7e6ed394faa7d40c932456059b7b76a784dc7886dd0a47c43da0b  xsa328/xsa328-4.12-2.patch
51a41fae885aed40839887da473e0c8ab4c4d897a121f5fac2cc3c6c0188d6d2  xsa328/xsa328-4.13-1.patch
a51162c019e7e6ed394faa7d40c932456059b7b76a784dc7886dd0a47c43da0b  xsa328/xsa328-4.13-2.patch


Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:


Download attachment "xsa328.meta" of type "application/octet-stream" (2111 bytes)

Download attachment "xsa328/xsa328-1.patch" of type "application/octet-stream" (4321 bytes)

Download attachment "xsa328/xsa328-2.patch" of type "application/octet-stream" (1886 bytes)

Download attachment "xsa328/xsa328-4.9-1.patch" of type "application/octet-stream" (3959 bytes)

Download attachment "xsa328/xsa328-4.9-2.patch" of type "application/octet-stream" (1616 bytes)

Download attachment "xsa328/xsa328-4.11-1.patch" of type "application/octet-stream" (3903 bytes)

Download attachment "xsa328/xsa328-4.11-2.patch" of type "application/octet-stream" (1616 bytes)

Download attachment "xsa328/xsa328-4.12-1.patch" of type "application/octet-stream" (3903 bytes)

Download attachment "xsa328/xsa328-4.12-2.patch" of type "application/octet-stream" (1621 bytes)

Download attachment "xsa328/xsa328-4.13-1.patch" of type "application/octet-stream" (3917 bytes)

Download attachment "xsa328/xsa328-4.13-2.patch" of type "application/octet-stream" (1621 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.