Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1kUqJo-00021v-0d@xenbits.xenproject.org>
Date: Tue, 20 Oct 2020 12:00:44 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 345 v3 - x86: Race condition in Xen mapping
 code

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-345
                              version 3

                x86: Race condition in Xen mapping code

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The Xen code handling the updating of the hypervisor's own pagetables
tries to use 2MiB and 1GiB superpages as much as possible to maximize
TLB efficiency.  Some of the operations for checking and coalescing
superpages take non-negligible amount of time; to avoid potential lock
contention, this code also tries to avoid holding locks for the entire
operation.

Unfortunately, several potential race conditions were not considered;
precisely-timed guest actions could potentially lead to the code
writing to a page which has been freed (and thus potentially already
reused).

IMPACT
======

A malicious guest can cause a host denial-of-service.  Data corruption
or privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS
==================

Versions of Xen from at least 3.2 onward are affected.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Guests can only exercise the vulnerability if they have passed through
hardware devices.  Guests without passthrough configured cannot
exploit the vulnerability.

Furthermore, HVM and PVH guests can only exercise the vulnerability if
they are running in shadow mode, and only when running on VT-x capable
hardware (as opposed to SVM).  This is believed to be Intel, Centaur
and Shanghai CPUs.

MITIGATION
==========

Running all guests in HVM or PVH mode, in each case with HAP enabled,
prevent those guests from exploiting the vulnerability.

CREDITS
=======

This issue was discovered by Hongyan Xia of Amazon.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa345/*.patch           xen-unstable
xsa345-4.14/*.patch      Xen 4.14.x
xsa345-4.13/*.patch      Xen 4.12.x, Xen 4.13.x
xsa345-4.11/*.patch      Xen 4.11.x
xsa345-4.10/*.patch      Xen 4.10.x

$ sha256sum xsa345* xsa345*/*
c8b9445b05aa4c585d9817c2e6cbf08466452a15381ca5b9a0224a377522edf9  xsa345.meta
4ed69dce620449bedda29f3ce1ed767908d2bbeb888701e7c4c2461216b724f7  xsa345-4.10/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch
98d3b171b197c1ff9f26ff70499a0cde3b23d048d622b12bf2ea0899de4f9e7f  xsa345-4.10/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch
78c4be2f1747051d13869001180ee25bdeabe5e8138d0604a33db610b24e38f1  xsa345-4.10/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch
4abd8271a70593fcde683071fdf0ac342ff9b0859b60c9790b14dd7e5ae85129  xsa345-4.11/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch
3209195c1a7e8a6186b704d6bb791a3fb3c251d59e15b42bcb0ecc0d38f13a4f  xsa345-4.11/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch
7e73f6c14718a0d4b25b4453b45c20bf265bd54c91b77678815be1ef7beae61f  xsa345-4.11/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch
b68b82911c96feee9d05abcddf174c2f6b278829bc8c3bf3062739de8c4704b2  xsa345-4.12/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch
fe2a1568a3e273ae01b3984c193e75aea16da53c6c9db27d21a2196d0f204c6e  xsa345-4.12/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch
22c98f4a264bc6b15ed29da8698a733947849c16a3e9da58de88bf16986b6aad  xsa345-4.12/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch
16299d885c19e1cd378a856caf8c1d1365c341bea648c0a0d5f24ae7d56015ae  xsa345-4.13/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch
b820061c242c7fa4da44cbb44fa16e0d0542c16815a89699385da0c87321f7ea  xsa345-4.13/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch
8a87ac2478c9bda6ef28c480b256448d51393a5e04f6e8a68ea29d9aeba92e47  xsa345-4.13/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch
acf093741fecccccce0018d4a5c0f5dba367373dd1d6d04ed76ff3f178579670  xsa345-4.14/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch
616f2547b4bb6d5eb9f853b1659e6e2a1fc0f67866665f4f6cdd8d763effcdfc  xsa345-4.14/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch
17ae72d2af6759da17ce777e0fc9eef8f8eb6be3fe6d5b38b3589f641fc0f918  xsa345-4.14/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch
65c56cb4d34ff4e97220311b303c09b54bfa44bcf4adc8e81d4a50c50eeb6b95  xsa345/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch
5512bd167c29ba7da06b2ace1397fc43ed33a362174ea927d6ca3f9bdd31748b  xsa345/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch
392524c9b0a01618e6c86a39dc1c68288065300b49548e29e9e6672947858060  xsa345/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl+OzqoMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZLt4H/2hHMHfpQsPiWUXQj6/SXmjZrnIuBsBeP6Hno3p+
aKVzdFJkdBHN6thRlIgir1tffawxbzrFG4ARN3A4mBfdEJYFMLo79v6dn1FtCdzw
OFdI95/sZ+zeOR8InfjedX67S0fNzVW4QkU2dpS5pwupdn+wg+Z4313FIyV7Oteo
sbN8dCeCn9t2mDBXa6D9Tyhc5iTfPBU09AZWh29wjnjGH4nOgarDwHX4x7VzZLyY
CB18RZ/Ezwud3thlsZdLWfzGOvpRDMKFq2pYwBHd3Dc7cSOLRGf6x8FLAHVc7XzR
a5cLY0oYOppJa++a/yyG8pKs7O410943SZ7292mDv0hwjnw=
=pVu8
-----END PGP SIGNATURE-----

Download attachment "xsa345.meta" of type "application/octet-stream" (1741 bytes)

Download attachment "xsa345-4.10/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch" of type "application/octet-stream" (2650 bytes)

Download attachment "xsa345-4.10/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch" of type "application/octet-stream" (2284 bytes)

Download attachment "xsa345-4.10/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch" of type "application/octet-stream" (8436 bytes)

Download attachment "xsa345-4.11/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch" of type "application/octet-stream" (2661 bytes)

Download attachment "xsa345-4.11/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch" of type "application/octet-stream" (2284 bytes)

Download attachment "xsa345-4.11/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch" of type "application/octet-stream" (8394 bytes)

Download attachment "xsa345-4.12/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch" of type "application/octet-stream" (2619 bytes)

Download attachment "xsa345-4.12/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch" of type "application/octet-stream" (2242 bytes)

Download attachment "xsa345-4.12/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch" of type "application/octet-stream" (8302 bytes)

Download attachment "xsa345-4.13/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch" of type "application/octet-stream" (2661 bytes)

Download attachment "xsa345-4.13/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch" of type "application/octet-stream" (2284 bytes)

Download attachment "xsa345-4.13/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch" of type "application/octet-stream" (8347 bytes)

Download attachment "xsa345-4.14/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch" of type "application/octet-stream" (2655 bytes)

Download attachment "xsa345-4.14/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch" of type "application/octet-stream" (2305 bytes)

Download attachment "xsa345-4.14/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch" of type "application/octet-stream" (8374 bytes)

Download attachment "xsa345/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch" of type "application/octet-stream" (3075 bytes)

Download attachment "xsa345/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch" of type "application/octet-stream" (2305 bytes)

Download attachment "xsa345/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch" of type "application/octet-stream" (8374 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.