-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2020-27672 / XSA-345 version 5 x86: Race condition in Xen mapping code UPDATES IN VERSION 5 ==================== Fix some version tags. ISSUE DESCRIPTION ================= The Xen code handling the updating of the hypervisor's own pagetables tries to use 2MiB and 1GiB superpages as much as possible to maximize TLB efficiency. Some of the operations for checking and coalescing superpages take non-negligible amount of time; to avoid potential lock contention, this code also tries to avoid holding locks for the entire operation. Unfortunately, several potential race conditions were not considered; precisely-timed guest actions could potentially lead to the code writing to a page which has been freed (and thus potentially already reused). IMPACT ====== A malicious guest can cause a host denial-of-service. Data corruption or privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== Versions of Xen from at least 3.2 onward are affected. Only x86 systems are vulnerable. ARM systems are not vulnerable. Guests can only exercise the vulnerability if they have passed through hardware devices. Guests without passthrough configured cannot exploit the vulnerability. Furthermore, HVM and PVH guests can only exercise the vulnerability if they are running in shadow mode, and only when running on VT-x capable hardware (as opposed to SVM). This is believed to be Intel, Centaur and Shanghai CPUs. MITIGATION ========== Running all guests in HVM or PVH mode, in each case with HAP enabled, prevent those guests from exploiting the vulnerability. CREDITS ======= This issue was discovered by Hongyan Xia of Amazon. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa345/*.patch xen-unstable xsa345-4.14/*.patch Xen 4.14.x xsa345-4.13/*.patch Xen 4.13.x xsa345-4.12/*.patch Xen 4.12.x xsa345-4.11/*.patch Xen 4.11.x xsa345-4.10/*.patch Xen 4.10.x $ sha256sum xsa345* xsa345*/* c8b9445b05aa4c585d9817c2e6cbf08466452a15381ca5b9a0224a377522edf9 xsa345.meta 4ed69dce620449bedda29f3ce1ed767908d2bbeb888701e7c4c2461216b724f7 xsa345-4.10/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch 98d3b171b197c1ff9f26ff70499a0cde3b23d048d622b12bf2ea0899de4f9e7f xsa345-4.10/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch 78c4be2f1747051d13869001180ee25bdeabe5e8138d0604a33db610b24e38f1 xsa345-4.10/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch 4abd8271a70593fcde683071fdf0ac342ff9b0859b60c9790b14dd7e5ae85129 xsa345-4.11/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch 3209195c1a7e8a6186b704d6bb791a3fb3c251d59e15b42bcb0ecc0d38f13a4f xsa345-4.11/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch 7e73f6c14718a0d4b25b4453b45c20bf265bd54c91b77678815be1ef7beae61f xsa345-4.11/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch b68b82911c96feee9d05abcddf174c2f6b278829bc8c3bf3062739de8c4704b2 xsa345-4.12/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch fe2a1568a3e273ae01b3984c193e75aea16da53c6c9db27d21a2196d0f204c6e xsa345-4.12/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch 22c98f4a264bc6b15ed29da8698a733947849c16a3e9da58de88bf16986b6aad xsa345-4.12/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch 16299d885c19e1cd378a856caf8c1d1365c341bea648c0a0d5f24ae7d56015ae xsa345-4.13/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch b820061c242c7fa4da44cbb44fa16e0d0542c16815a89699385da0c87321f7ea xsa345-4.13/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch 8a87ac2478c9bda6ef28c480b256448d51393a5e04f6e8a68ea29d9aeba92e47 xsa345-4.13/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch acf093741fecccccce0018d4a5c0f5dba367373dd1d6d04ed76ff3f178579670 xsa345-4.14/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch 616f2547b4bb6d5eb9f853b1659e6e2a1fc0f67866665f4f6cdd8d763effcdfc xsa345-4.14/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch 17ae72d2af6759da17ce777e0fc9eef8f8eb6be3fe6d5b38b3589f641fc0f918 xsa345-4.14/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch 65c56cb4d34ff4e97220311b303c09b54bfa44bcf4adc8e81d4a50c50eeb6b95 xsa345/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch 5512bd167c29ba7da06b2ace1397fc43ed33a362174ea927d6ca3f9bdd31748b xsa345/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch 392524c9b0a01618e6c86a39dc1c68288065300b49548e29e9e6672947858060 xsa345/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b/sMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ+2cH/jo+zCBx3t5CWDLD+dj0HipahsDbfn+1YQFDzGY9 qRNTi++LilnWKSiGhm7sgKqC7R4uGSNEOL8ldOH7LFLyhlTLUZu9ghFL84N+H9RJ LNa/qzruEnDlk0cnAB7OVjBQZl09rcC7eXrxQziBW7XZerR5dgdz4InZHuiAB1j0 DoAgDgHbqKJ+qdumi8Xp+KRD1/BdUxbbyZKKiKcpFBOIcfW1SvkAO8utFyZvXCZd /v0zkDQ3vDgq1XwY9+ftfcv4aG2wdEz2hPQXbkKH/J3XF+KDVzY0PS0l0j/BHJbQ 9g3e/+gqjus4DkPlgb7npVdmkz3cOTPxf2w3C0V8OxdM1sk= =jXOP -----END PGP SIGNATURE-----