Information

Advisory XSA-293
Public release 2019-03-05 12:00
Updated 2019-03-05 12:24
Version 3
CVE(s) none (yet) assigned
Title x86: PV kernel context switch corruption

Files

advisory-293.txt (signed advisory file)
xsa293.meta
xsa293/4.7-1.patch
xsa293/4.7-2.patch
xsa293/4.7-3.patch
xsa293/4.8-1.patch
xsa293/4.8-2.patch
xsa293/4.8-3.patch
xsa293/4.9-1.patch
xsa293/4.9-2.patch
xsa293/4.10-1.patch
xsa293/4.10-2.patch
xsa293/4.11-1.patch
xsa293/4.11-2.patch
xsa293/unstable-1.patch
xsa293/unstable-2.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-293
                              version 3

                x86: PV kernel context switch corruption

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

On hardware supporting the fsgsbase feature, 64bit PV guests can set and
clear the applicable control bit in its virtualised %cr4, but the
feature remains fully active in hardware.  Therefore, the associated
instructions are actually usable.

Linux, which does not currently support this feature, has various
optimisations in its context switch path which justifiably assume that
userspace can't actually make changes without a system call.

Xen's behaviour of having this feature active behind the guest kernel's
back undermines the correctness of any context switch logic which
depends on the feature being disabled.

Userspace can therefore corrupt fsbase or gsbase (commonly used for
Thread Local Storage) in the next thread to be scheduled on the
current vcpu.

IMPACT
======

A malicious unprivileged guest userspace process can escalate its
privilege to that of other userspace processes in the same guest, and
potentially thereby to that of the guest operating system.

Additionally, some guest software which attempts to use this CPU
feature may trigger the bug accidentally, leading to crashes or
corruption of other processes in the same guest.

VULNERABLE SYSTEMS
==================

Xen versions 4.1 and later are vulnerable.  Xen 4.0 and earlier are not
vulnerable.

Only x86 hardware with the fsgsbase feature is vulnerable.  This is
believed to be Intel IvyBridge and later hardware, and AMD Steamroller
and later hardware.

ARM hardware is not affected.

Only 64bit PV guests can exploit the vulnerability.  32bit PV guests,
and HVM/PVH guests cannot exploit the vulnerability.

Whether the bug is exploitable, and whether it will be triggered by
accident, depend in a complicated way on the guest operating system
and its configuration.  Most guests are vulnerable to malicious
userspace processes.

MITIGATION
==========

Running only 32bit PV or HVM/PVH guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Andy Lutomirski.

RESOLUTION
==========

Applying the appropriate attached patches resolves this issue.

xsa293/unstable-?.patch         xen-unstable
xsa293/4.11-?.patch             Xen 4.11.x
xsa293/4.10-?.patch             Xen 4.10.x
xsa293/4.9-?.patch              Xen 4.9.x
xsa293/4.8-?.patch              Xen 4.8.x
xsa293/4.7-?.patch              Xen 4.7.x

$ sha256sum xsa293* xsa293*/*
27baf055642a3a7e9d2b1a961e15a46b592eca7c6f63e28e3bcb19e4cebfd0bd  xsa293.meta
865596b3dca81712a7d3d78f22e40aed1a08732f93b1950af6f092d893323a0f  xsa293/4.7-1.patch
032559c4bbdfe0987b9d3b15cf8661d8d8a5d4e2e989c944490ac171305fba3b  xsa293/4.7-2.patch
d3d91a1a5083b0a1992750b808aefacd0f0d4e7e92d1436e620a542e935cdadd  xsa293/4.7-3.patch
14b3db49375e353394b831a342d873d83615285d516f8cb08a0e1564d675cd51  xsa293/4.8-1.patch
1efc2ee18f54c7c41f478e944b3b708eb283bfa9de68a1046033d57784846c30  xsa293/4.8-2.patch
0d28899cad0e6798ae6a96717c15363ddf5a35e334ede02becdc81538ae589cc  xsa293/4.8-3.patch
b24210a74eb9dca5c7af902d223dba1b1b372df06a99fb1b0df8e92c9f9632f3  xsa293/4.9-1.patch
f68101f80d9843c1cdbb70188caec7009a0d52d33d811d22091e7c1f265a15e1  xsa293/4.9-2.patch
194e42599eac16afab14856760901705a0600c1308645495f30d30f8dd68734c  xsa293/4.10-1.patch
1fdee59bba66bd6b3ea4949913457dbcb1b8d5cb85fd8fb60aacac9a403ee9a9  xsa293/4.10-2.patch
277ba95e9a2276378fc9b3bcf89b694b9670256cde62278ade2e90d3fd5f7c46  xsa293/4.11-1.patch
724a0f433427a747876cbec09381dc1ca99286cea0ecbdd098c6e68fb135eeda  xsa293/4.11-2.patch
837eb67900a7c70cf7a00836cb312506925ca1fd29529144ff312316b0dbb086  xsa293/unstable-1.patch
0a6df8c8778a1c7e1fb71825695a86dee36f2e9345b39a06e3a364ad8b938de0  xsa293/unstable-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlx+apQMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZvVkH/j+PLpdjJ172FhBC2F73PE8/ojjK4qu9pew29TmH
4YZtNEEW2+4rB+vd3Y4oYmEHZiZoxrE7v6ER5+TxeMb4M9eK9JfgT59BO98msYLJ
AMJkDw+xmRWxSf0oP8aig1Qbl3isY3Tv3Ny/KjLV33aZy0O/5Re3NnqpYRHAMDrj
wLmeBezLQbqyK4Kc9y8Io+johmnOWbQDiXFGq/Rjh4C0EDkKBTpAY2By+sHxNBMU
FCFsjxi/H25rhrYIb5DOhdlcAGxp+JrK679rKoYZP35QBQzkj3TKswfp7rmCactn
xoD9N6uO483VVD6X1LosaK9jSxmHCdaOA+uswOBrBwWBjng=
=OITY
-----END PGP SIGNATURE-----

Xenproject.org Security Team