Date: Tue, 03 Nov 2020 17:54:56 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 286 v5 - x86 PV guest INVLPG-like flushes may leave stale TLB entries -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-286 version 5 x86 PV guest INVLPG-like flushes may leave stale TLB entries UPDATES IN VERSION 5 ==================== Patches rewritten to use a completely different approach. The patches supplied in XSA-286 version 4 were found to have a significant performance impact. An alternative approach was developed and has now been committed to the relevant Xen branches. The alternative approach is simpler and mitigates the performance problems. At the time of writing the patches in XSA-286 v4 are believed to be correct and sound, but if we discover that this is not the case we will not issue a further update. We recommend the use of the patches provided in the Xen git branches, which are the same as those attached in this version of the advisory. ISSUE DESCRIPTION ================= x86 PV guest kernels may use hypercalls with INVLPG-like behavior to invalidate TLB entries even after changes to non-leaf page tables. Such changes to non-leaf page tables will, however, also render stale possible TLB entries created by Xen's internal use of linear page tables to process guest requests like update-va-mapping. Invalidation of these TLB entries has been missing, allowing subsequent guest requests to change address mappings for one process to potentially modify memory meanwhile in use elsewhere. IMPACT ====== Malicious x86 PV guest user mode may be able to escalate their privilege to that of the guest kernel. VULNERABLE SYSTEMS ================== All versions of Xen expose the vulnerability. The vulnerability is exposed to x86 PV guests only. x86 HVM/PVH guests as well as ARM ones are not vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Jann Horn of Google Project Zero. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. xsa286-unstable/*.patch xen-unstable xsa286-4.14/*.patch Xen 4.14.x xsa286-4.13/*.patch Xen 4.13.x xsa286-4.12/*.patch Xen 4.12.x xsa286-4.11/*.patch Xen 4.11.x xsa286-4.10/*.patch Xen 4.10.x $ sha256sum xsa286* xsa286*/* a7d4ddb15197dfcb246b84f8a89799f76070cdde99a5c1d0203229d719b0fcc1 xsa286.meta e5f946b07989db85de2a03e4b88e09324316c0ec12d21c5afb83d463114a1f4f xsa286-unstable/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch 2a732c958201eb03cc0737278e75f86160e0dedbbe0a13f415ec0d17a90ec009 xsa286-unstable/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch 2da4b60e19b1fbf1daf0d1bc61733763abf5653a6e53ffeadd559d0a01ec8095 xsa286-4.10/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch 5ce7f56a9b2c9a3a63f79d7df2486c24fc130a8658deb182b22416e17c202ae9 xsa286-4.10/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch 2e700e091bfd9d3fd6dd65064ec39a8a40d73bcc94b66852fd2d6fbe9ba6c2db xsa286-4.11/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch d622652ce50d59bf45134baabc26b89a24e5d98b1f82230041919089a1cf1620 xsa286-4.11/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch 4dc18a007ddf2bd5022ce194b861989be88170f8188ce49dbea7073bb280202f xsa286-4.12/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch 2c48331849d4d401b47dfc3db84bb067786b4e53155587235d919781b4a10e76 xsa286-4.12/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch dd0fad5165dcd0c3d8d551e35fa4fe29653a3b8c5ec52f7f86f434305c946338 xsa286-4.13/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch de1326efd4a8559c32ac68c89095f3230f723dec2acc80fc01a534578bb1be82 xsa286-4.13/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch a718f5e19ce821d1fe06f2cdc2f7ad0bbe7c7bca954c283bbc36ad50522f66ef xsa286-4.14/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch d659d4a4119b235c7d1054980ceea9424dcc7faf3cfd3fd46627577a424256b5 xsa286-4.14/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl+hmVsMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZI2cIAMnry5bAAjp6b9C2YsnAFgwQy114GNMaYUGpktEk LPLvjyNkQ4ZRxoqUCk/i645h62cI24CfJS1JraHU5kCk2OSRNT6d2OhXkXhRb1qD NL4tM+9Y5xo8R7HkZ3PV1Xs4RGr1RYuXYNKv6RPj74SpJFGmJYfsZaSgnzNxuNeL LWFVCSZtFE7RIgOVHCrl+fLH0bFg3A8xKDsRTD8sZ+T7zEpUoe7lq8S/PZmijFAm 1WU/p1l7Fy1DHeIXtvLc82d7y5/ZwQtMgNjzy0BDS+rmuxaJRd6ciQgmj+4eTYXw biiiFoKKQ/6Kaf/QdI4LlOtrnVmLyskJNnrWeP5BgW+0h7A= =xMu5 -----END PGP SIGNATURE----- Download attachment "xsa286.meta" of type "application/octet-stream" (1588 bytes) Download attachment "xsa286-unstable/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch" of type "application/octet-stream" (2406 bytes) Download attachment "xsa286-unstable/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch" of type "application/octet-stream" (7097 bytes) Download attachment "xsa286-4.10/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch" of type "application/octet-stream" (2482 bytes) Download attachment "xsa286-4.10/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch" of type "application/octet-stream" (7101 bytes) Download attachment "xsa286-4.11/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch" of type "application/octet-stream" (2475 bytes) Download attachment "xsa286-4.11/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch" of type "application/octet-stream" (7195 bytes) Download attachment "xsa286-4.12/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch" of type "application/octet-stream" (2475 bytes) Download attachment "xsa286-4.12/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch" of type "application/octet-stream" (7188 bytes) Download attachment "xsa286-4.13/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch" of type "application/octet-stream" (2475 bytes) Download attachment "xsa286-4.13/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch" of type "application/octet-stream" (7166 bytes) Download attachment "xsa286-4.14/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch" of type "application/octet-stream" (2475 bytes) Download attachment "xsa286-4.14/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch" of type "application/octet-stream" (7166 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.