-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-17344 / XSA-290
                              version 3

         missing preemption in x86 PV page table unvalidation

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

XSA-273 changes required, among other things, making any PTE updates
restartable.  The changes making PTE updates restartable assumed that L2
pagetables would always be promoted preemptibly; but this turns out not
to be the case when using the 'linear pagetable' feature; the result was
that interrupted operations are not handled properly in certain cases.

Furthermore, previous security work making pagetable update preemptible
failed to account for 'linear pagetables' at L3 and L4 levels, making it
possible for operations to run for longer than acceptable times.

IMPACT
======

Malicious or buggy x86 PV guest kernels can mount a Denial of Service
(DoS) attack affecting the whole system.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

Only x86 systems are affected.  ARM systems are not affected.

Only Xen versions which permit linear page table use by PV guests are
vulnerable.

Only x86 PV guests can leverage this vulnerability.  x86 HVM guests
cannot leverage this vulnerability.

MITIGATION
==========

Not permitting linear page table use by PV guests avoids the
vulnerability.  This can be done both at build time, by turning off the
PV_LINEAR_PT configure option, or at runtime, by passing specifying
"pv-linear-pt=0" on the hypervisor command line.  Doing so would,
however, render PV guests using the functionality, like NetBSD,
unusable.

On systems where the guest kernel is controlled by the host rather than
guest administrator, running only kernels which only issue sane
hypercalls will prevent untrusted guest users from exploiting this
issue.  However untrusted guest administrators can still trigger it
unless further steps are taken to prevent them from loading code into
the kernel (e.g by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.

Running only HVM guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Manuel Bouyer.

RESOLUTION
==========

Applying the appropriate pair of attached patches resolves this issue.

xsa290/unstable-?.patch         xen-unstable
xsa290/4.11-?.patch             Xen 4.11.x
xsa290/4.10-?.patch             Xen 4.10.x
xsa290/4.9-?.patch              Xen 4.9.x
xsa290/4.8-?.patch              Xen 4.8.x
xsa290/4.7-?.patch              Xen 4.7.x

$ sha256sum xsa290* xsa290*/*
e74014bf97f223f35dc6142fbfadd8a3df6c7ecf1818d5d04ebb717a1d600959  xsa290.meta
87ffaf9712bfd2283e845d168811e572b9ebc8a580e750128586a48e65ae4c67  xsa290/4.7-1.patch
4137eb15d963a77ff302cb65f9f04e402ea23f69042f89ece4baaf4b7a58d638  xsa290/4.7-2.patch
0f5ce8c13c99431cae69736e117c7420c3202e3a680b42a66027646ae0aa141c  xsa290/4.8-1.patch
bb4102dd6f3daf60859a88b6a2f0828bc8aeb224d3d3b6fd2d2cc96b3f131a24  xsa290/4.8-2.patch
a7e4902968529289c63149608d48e1eeac2feffa644e1337b1b5b9a624dc746d  xsa290/4.9-1.patch
7798b063a8db95fc18bca1ea25d84937fbe9c6e0add15056841fd97d5aec2885  xsa290/4.9-2.patch
3a0bf44875bb5a8525b4418d6efd49bd6ed6cfaffe669cbdcfde61a65fe9cdea  xsa290/4.10-1.patch
1e7dfe1b0c57e245daef1351db855a9312a4c225c05a6720460ea4aa1148ee22  xsa290/4.10-2.patch
3dd47f3bc1a004260d05cba548a80e475f85ffe60b663879de386e32a8e9ffbc  xsa290/4.11-1.patch
b3b17546fc553bf60572cf56023d8177f96973fcd072a8adfc622b4030e58d00  xsa290/4.11-2.patch
4ff1d857f46a781fd7483a30297ebf51bf079ccd1d598df799e5779ddc893674  xsa290/unstable-1.patch
3a85ecc426d482052aaf2a84bfde9840eb7a566638dbab042dac84b0019ca473  xsa290/unstable-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or the HVM-only as well as host controlled
kernel mitigations described above (or others which are substantially
similar) is permitted during the embargo, even on public-facing systems
with untrusted guest users and administrators.

HOWEVER deployment of the "pv-linear-pt=0" mitigation described above is
NOT permitted (except where all the affected systems and VMs are
administered and used only by organisations which are members of the Xen
Project Security Issues Predisclosure List).  Specifically, deployment
on public cloud systems is NOT permitted.

This is because in that case the configuration change is visible to the
guest, which could lead to the rediscovery of the vulnerability.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2y19YMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZj0kIAK0GjYVugAQ4Neq0Dsr9JZFKdPCV+AiBRg2Di8ME
HvLYoMzG7OOP7L0LnyZh1qSxfCXalKuMitNhOFH4zUHIOl4XA8iSEmxKhE6aKXCu
TLngS5KCsqXb11+vDJsx7K4Z5UW7AXZwpI6jfi5nmXBEhRo9rdvO0y7I+j9x3v08
4TNSRE6lIO2OePCwOHbE9iUCHOvpldJ6PG9tDsBwsWdWgiMsPHk5XZI1Saiqa2r0
yoMD+ma6huWVph1Th+qlpjy1IORwcRp/y1OcSXzB8QX0Oz2ynaO/BZZNnm4LS3sD
Ub9BlY01fC/g1evvh97/M//D4GRP6xEe5g3n2V5drD6Zaws=
=dqbz
-----END PGP SIGNATURE-----