Information

Advisory XSA-304
Public release 2019-11-12 17:53
Updated 2020-08-14 16:50
Version 2
CVE(s) CVE-2018-12207
Title x86: Machine Check Error on Page Size Change DoS

Files

advisory-304.txt (signed advisory file)
xsa304.meta
xsa304/xsa304-1.patch
xsa304/xsa304-2.patch
xsa304/xsa304-3.patch
xsa304/xsa304-4.8-1.patch
xsa304/xsa304-4.8-2.patch
xsa304/xsa304-4.9-1.patch
xsa304/xsa304-4.9-2.patch
xsa304/xsa304-4.10-1.patch
xsa304/xsa304-4.10-2.patch
xsa304/xsa304-4.10-3.patch
xsa304/xsa304-4.11-1.patch
xsa304/xsa304-4.11-2.patch
xsa304/xsa304-4.11-3.patch
xsa304/xsa304-4.12-1.patch
xsa304/xsa304-4.12-2.patch
xsa304/xsa304-4.12-3.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2018-12207 / XSA-304
                               version 2

            x86: Machine Check Error on Page Size Change DoS

UPDATES IN VERSION 2
====================

Tweaked version recipes to make them easier to parse.

ISSUE DESCRIPTION
=================

An erratum exists across some CPUs whereby an instruction fetch may
cause a machine check error if the pagetables have been updated in a
specific manner without invalidating the TLB.

The x86 architecture explicitly permits modification of the pagetables
without TLB invalidation, but in this corner case, the impacted core
ceases operating and an unexpected machine check or system reset occurs.

This corner case can be triggered by guest kernels.

For more details, see:
  https://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-change

IMPACT
======

A malicious guest kernel can crash the host, resulting in a Denial of
Service (DoS).  (This CPU bug may also be triggered accidentally.)

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Only x86 processors are vulnerable.  ARM processors are not believed to
be vulnerable.

Only Intel Core based processors (from Nehalem onwards) are affected.
Other processors designs (Intel Atom/Knights range), and other
manufacturers (AMD) are not known to be affected.

Only x86 HVM/PVH guests can exploit the vulnerability.  x86 PV guests
cannot exploit the vulnerability.

Please consult the Intel Security Advisory for details on the affected
processors.

MITIGATION
==========

Running only PV guests avoids the vulnerability.

Booting Xen with `hap_2mb=0 hap_1gb=0` on the command line, to disable
the use of HAP superpages, works around the vulnerability.

Booting Xen with `hap=0` to disable HAP entirely, or configuring HVM/PVH
guests to use shadow paging (hap=0 in xl.cfg) works around the
vulnerability, but the performance impact of shadow paging in
combination with in-guest Meltdown mitigations (KPTI, KVAS, etc) will
most likely make this option prohibitive to use.

RESOLUTION
==========

Applying the appropriate attached patches resolves this issue.

By default, Xen will disable executable superpages on
believed-vulnerable hardware, and report so at boot:

  (XEN) VMX: Disabling executable EPT superpages due to CVE-2018-12207

See the performance and safety consideration section below.

The patches are comprised of:
 *-1.patch: Fix on SandyBridge hardware discovered during testing
 *-2.patch: Main security fix
 *-3.patch: (4.10 and later) Runtime control of fast vs secure

xsa304/xsa304-?.patch           xen-unstable
xsa304/xsa304-4.12-?.patch      Xen 4.12.x
xsa304/xsa304-4.11-?.patch      Xen 4.11.x
xsa304/xsa304-4.10-?.patch      Xen 4.10.x
xsa304/xsa304-4.9-?.patch       Xen 4.9.x
xsa304/xsa304-4.8-?.patch       Xen 4.8.x

$ sha256sum xsa304* xsa304*/*
80433abf487016e6d12b72a5a82eb27caff5cc21e608070a3bcec98de0856953  xsa304.meta
3365e0351b3ccb39e3be53bcbfd8219d8282f6f3d97d6c4519a3e860b27f6844  xsa304/xsa304-1.patch
1a85753717312f2b20f291c9e79271c63be2a9542fbec651d0a8fc4d8aca0408  xsa304/xsa304-2.patch
0c770aa15f2aef2bb3253194243968181a4bb1710d09d6f785ed7f5dae03b93b  xsa304/xsa304-3.patch
2d2eb25b842578bd45480c8ff6f2266617dd0db5e6e552d5ae481eb764c8aea0  xsa304/xsa304-4.8-1.patch
72d91f67af06f89d01f7dc1e6ff87f50cad28bbb0475eb5cfbb986ee51775bc2  xsa304/xsa304-4.8-2.patch
d8d18e7dd9b59f01454352a46d38699b21c5f1f7ff6bd2aa8e63fbd7a98cfca4  xsa304/xsa304-4.9-1.patch
244df964d70eab300c77210456439dfb1c46f2ddd9f1b851e1110be7573948ba  xsa304/xsa304-4.9-2.patch
2d80f2603412abb4e644b8e868f4218e90db3f59b25f833ff7342d347af6c5a8  xsa304/xsa304-4.10-1.patch
94a87371ddeccf5705ed71a961135393fa9046e4235cc90402f9292dcfffa43c  xsa304/xsa304-4.10-2.patch
9862e46c2bcbbeaba32d06d7af33b8b97fd8be5a4a35bcd70264e9913031f512  xsa304/xsa304-4.10-3.patch
b927c5b7a5dbf6260fd37ec2a594d5a0ff40b2fa78c9caaaaa59fa184c87d8d1  xsa304/xsa304-4.11-1.patch
478d7b7b27bb0a4ed874a4d6fe73282d785feed8c35f3278a07a1228d5dfad77  xsa304/xsa304-4.11-2.patch
d0e079a0af7045711a21ac52674e5821e69c370f7ef64c9ebdfc0990950f7a54  xsa304/xsa304-4.11-3.patch
4025732fd83a94c09b023f079e9b3c8399649f31e406f5f0c736a522f75fdd53  xsa304/xsa304-4.12-1.patch
2653c57fc79b98ca5cc30ceb2299d11c2ba96f4becdfb93a1cc14ca943e18420  xsa304/xsa304-4.12-2.patch
ec670ca4e3782043824e1f475ba187d89a53836d4e2ad8399daf0a91fcc747dc  xsa304/xsa304-4.12-3.patch
$

PERFORMANCE AND SAFETY CONSIDERATIONS
=====================================

Disabling executable EPT superpages does come with a performance impact,
caused by increased iTLB pressure.  The overhead will be workload and
CPU dependant.

In configurations where guest kernels are trusted not to mount a DoS
attempt, the mitigation can be turned off by booting with `ept=exec-sp`.

In configurations where the guest kernels are not trusted, users are
recommended to measure the impact to their workloads as part of deciding
between fast and secure.

On Xen 4.10 and later, a runtime decision can be made between fast and
secure by using `xl set-parameters ept=[no-]exec-sp`.

NOTE REGARDING LACK OF EMBARGO
==============================

Despite an attempt to organise predisclosure, the discoverers ultimately
did not authorise a predisclosure.
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl82wNwMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZOdUH/31dnoTMqnZVmlq8VuWh6OqKfALTAtaRDaGJzOH/
lqPNSUOI0C0ykIzUqBxE7wtt6V3DqdYBgs76z3xxF2QVbWicArJzjMXwCsUieIjg
qP1/AmPyxiXEOxD1u5GTafd96FgTPVD14bvav+ChgSahYc+G9qUFNQ5Kg9uJT0PQ
nc7xqDpZMT68vrrSmUOwc8m+M/wHYRC5QmzAMXPK7y450fBa+4gonQkzxwyfZZhX
dmG3Mpl4mrKIZZrGpvoOzkDG0DpYU+mq0bG/f0N7i9epJhC0LoNqO7dYTdNcKTDu
t9aGaOfuSXrANUzxTgccuuWwJoHu+N6Lc9BSO0YqM6dgD7g=
=tNxw
-----END PGP SIGNATURE-----

Xenproject.org Security Team