-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-4480 / XSA-176 version 3 x86 software guest page walk PS bit handling flaw UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The Page Size (PS) page table entry bit exists at all page table levels other than L1. Its meaning is reserved in L4, and conditionally reserved in L3 and L2 (depending on hardware capabilities). The software page table walker in the hypervisor, however, so far ignored that bit in L4 and (on respective hardware) L3 entries, resulting in pages to be treated as page tables which the guest OS may not have designated as such. If the page in question is writable by an unprivileged user, then that user will be able to map arbitrary guest memory. IMPACT ====== On vulnerable OSes, guest user mode code may be able to establish mappings of arbitrary memory inside the guest, allowing it to elevate its privileges inside the guest. VULNERABLE SYSTEMS ================== All Xen versions expose the vulnerability. ARM systems are not vulnerable. x86 PV guests are not vulnerable. To be vulnerable, a system must have both a vulnerable hypervisor, and a vulnerable guest operating system, i.e. ones which make non-standard use of the PS bit. We are not aware of any vulnerable guest operating systems, but we cannot rule it out. We have checked with maintainers of the following operating systems, all of whom have said that to the best of their knowledge their operating system is not vulnerable: Linux, FreeBSD, NetBSD, OpenBSD, and Solaris. Nor has it been observed in common proprietary operating systems. MITIGATION ========== Running only PV guests will avoid this issue. CREDITS ======= This issue was discovered by Jan Beulich from SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. Note, however, that on hosts supporting 1Gb page mappings, for guests which get this capability hidden via CPUID override in their config file, fully correct behavior cannot be provided when using HAP paging. This is a result of hardware behavior, which software cannot mitigate. If that is a concern, such guests would need to be run in shadow paging mode. xsa176.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa176* e61c52477a8d8aa79111d686b103202ff8a558d8b3356635288c1290789b7eb3 xsa176.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJXOvhuAAoJEIP+FMlX6CvZ8JgH/A7YU+62hV5ayIx77AEwHeIJ 6nqf6B1k+Y0aEtiSbupHDIMwSw13FoR+LluaZjTXpBd251Ut1cwXkDvC6yiPHxq0 rWlb1/ka0rnOT3/rx0SgUjx02HbBzOFyyhZgR6W/gXV/S5fQhE26KbhEWvVaYCXO QeryIsi9WBV/AWbx4fis4ecREhyEWPYkJ/bQq867P6YJLXQ1btc/CyZ7ahBjna68 VB9WE8czSs2x5QjJfKad5ksRAixdvaLFtVNOhnqJuJBickO3dd/IZPRxcSmazjdl sIiSMfKU9nPb56MIgZxTWCLpvYLe8yarnvjiVOivaHl2cBT01UOjVJv/dSQEyrw= =uQdJ -----END PGP SIGNATURE-----