Information

Advisory XSA-291
Public release 2019-03-05 12:00
Updated 2019-03-05 12:21
Version 2
CVE(s) none (yet) assigned
Title x86/PV: page type reference counting issue with failed IOMMU update

Files

advisory-291.txt (signed advisory file)
xsa291.meta
xsa291.patch
xsa291-4.9.patch
xsa291-4.11.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-291
                              version 2

  x86/PV: page type reference counting issue with failed IOMMU update

UPDATES IN VERSION 2
====================

Metadata updated to remove dependency on XSA-283.

Public release.

ISSUE DESCRIPTION
=================

When an x86 PV domain has a passed-through PCI device assigned, IOMMU
mappings may need to be updated when the type of a particular page
changes.  Such an IOMMU operation may fail.  In the event of failure,
while at present the affected guest would be forcibly crashed, the
already recorded additional type reference was not dropped again.  This
causes a bug check to trigger while cleaning up after the crashed
guest.

IMPACT
======

Malicious or buggy x86 PV guest kernels can mount a Denial of Service
(DoS) attack affecting the whole system.

VULNERABLE SYSTEMS
==================

Xen versions from 4.8 onwards are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only x86 PV guests can exploit the vulnerability.  x86 HVM and PVH
guests cannot exploit the vulnerability.

Only guests which are assigned a physical device can exploit this
vulnerability.  Guests which are not assigned physical devices cannot
exploit this vulnerability.

MITIGATION
==========

Running only HVM or PVH guests avoids the vulnerability.

Not passing through PCI devices to PV guests also avoids the
vulnerability.

CREDITS
=======

This issue was discovered by Igor Druzhinin and Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa291.patch           xen-unstable
xsa291-4.11.patch      Xen 4.11.x, Xen 4.10.x
xsa291-4.9.patch       Xen 4.9.x, Xen 4.8.x

$ sha256sum xsa291*
01883c11ae45a5771644270445e463538a61d98c66adbba852de74ccd272eae9  xsa291.meta
fb5f2a75ba113f21e9cb2dfbc22520495c69a4fef631c030a4834c680045e587  xsa291.patch
299bb4913e7ddb46ce90f415f91ee5e5480050631281c87e1a764b66fb116d89  xsa291-4.9.patch
16087ba5c59b9644f4f61c0c7fa124d9e04e88089b235aaae91daa04cdf1b8a1  xsa291-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlx+aa4MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ7uEH+gKbe8qOoIa8/xDC1rOH5H+BNvjCSfuov4EUPsJ1
3DUPNSa3jCHTlX89+BwI+uOis3vHuQYBw/k9QYfx6nG617bu3/dUYiWlnE/DpPzm
zur3McHNigWCXOYsrNlgnOncXixJIRcIlMJNudejzaFwnW9PDA8ZZ5r3UiTLY0fT
wySjAL0cpMztmU7PfYAPib97JAM/+GHGiwjjumaaIvF3WnIADJ26HpmtiKELMwOh
7o53kTUPFutLq4McsbcrxLRhwSOsBfhPN1mb4Y0QFUP7yStFpNOmzppu8mLuewhE
+PqJ0OQqqCx8hz/3TEDO59JUlH7Iwo4B3Eykhb5BqoSQHrY=
=iq8p
-----END PGP SIGNATURE-----

Xenproject.org Security Team