-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-1571 / XSA-168 version 3 VMX: intercept issue with INVLPG on non-canonical address UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its "individual address" variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug check. IMPACT ====== A malicious guest can crash the host, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions from 3.3 onwards are affected. Only systems using Intel or Cyrix CPUs are affected. ARM and AMD systems are unaffected. Only HVM guests using shadow mode paging can expose this vulnerability. PV guests, and HVM guests using Hardware Assisted Paging (also known as EPT on affected hardware), are unaffected. Note that while unsupported, guests with enabled nested virtualization are vulnerable even when using EPT. CHECKING FOR VULNERABLE CONFIGURATION ===================================== To discover whether your HVM guests are using HAP, or shadow page tables: request debug key `q' (from the Xen console, or with `xl debug-keys q'). This will print (to the console, and visible in `xl dmesg'), debug information for every domain, containing something like this: (XEN) General information for domain 2: (XEN) refcnt=1 dying=2 pause_count=2 (XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400 (XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000 (XEN) paging assistance: hap refcounts translate external ^^^ The presence of `hap' here indicates that the host is not vulnerable to this domain. For an HVM domain the presence of `shadow' indicates that the domain can exploit the vulnerability. Note that `General information' will also be printed for PV domains. For most PV domains there will be no `paging assistance' reported. But PV guests currently being migrated will report (XEN) paging assistance: shadow log_dirty Overall: a domain can exploit the vulnerability if this debug output contains a `paging assistance' line which reports `translate' and which does not report `hap'. MITIGATION ========== Running only PV guests will avoid this vulnerability. Running HVM guests on only AMD hardware will also avoid this vulnerability. Running HVM guests with Hardware Assisted Paging (HAP) enabled will also avoid this vulnerability. This is the default mode on hardware supporting HAP, but can be overridden by hypervisor command line option and guest configuration setting. Such overrides ("hap=0" in either case, with variants like "no-hap" being possible in the hypervisor command line case) would need to be removed to avoid this vulnerability. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. xsa168.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa168* c95198a66485d6e538d113ce2b84630d77c15f597113c38fadd6bf1e24e4c8ec xsa168.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWn3dEAAoJEIP+FMlX6CvZLaAH/A1FzwQebCOF0MCEMcM9V/zK At3L0XG5oBiVZVpbXAfYULeKaLtTGLBXqhBJjzej0FypCvEYX6BLBITLsw7kMqoW JSYHNHlg4pLH2Wnf6i3fVC7EIHx5XNuDa8Zeyt73wEFJhVpp43PcMwMzBolTUBmP +f5WDkLYflYXv+0XiHfbBLA2fl+K+A5OdDhKgjPZJouGvdfiZxX7EChR0asmmD1i AbSZYTLGhdlSU+fvw+w2XUYSeINS1FEhsZxMbWMVuz7jmPBmOn6u8NLrBdZatYoE Z2Fly81pWD7KDwusVscoLBdmBmI1Wr3u975j5EkQLbsCTsqo5ayP3BpfsieijIg= =UJX5 -----END PGP SIGNATURE-----