Information

AdvisoryXSA-310
Public release 2019-12-11 12:00
Updated 2019-12-11 12:09
Version 3
CVE(s) CVE-2019-19580
Title Further issues with restartable PV type change operations

Files

advisory-310.txt (signed advisory file)
xsa310.meta
xsa310-4.9/0001-x86-mm-Set-old_guest_table-when-destroying-vcpu-page.patch
xsa310-4.9/0002-x86-mm-alloc-free_lN_table-Retain-partial_flags-on-E.patch
xsa310-4.9/0003-x86-mm-relinquish_memory-Grab-an-extra-type-ref-when.patch
xsa310/0001-x86-mm-Set-old_guest_table-when-destroying-vcpu-page.patch
xsa310/0002-x86-mm-alloc-free_lN_table-Retain-partial_flags-on-E.patch
xsa310/0003-x86-mm-relinquish_memory-Grab-an-extra-type-ref-when.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-19580 / XSA-310
                               version 3

      Further issues with restartable PV type change operations

UPDATES IN VERSION 3
====================

Public release.

Updated metadata to add 4.13, update StableRef's

ISSUE DESCRIPTION
=================

XSA-299 addressed several critical issues in restartable PV type
change operations.  Despite extensive testing and auditing, some
corner cases were missed.

IMPACT
======

A malicious PV guest administrator may be able to escalate their
privilege to that of the host.

VULNERABLE SYSTEMS
==================

All security-supported versions of Xen are vulnerable.

Only x86 systems are affected.  Arm systems are not affected.

Only x86 PV guests can leverage the vulnerability.  x86 HVM and PVH
guests cannot leverage the vulnerability.

Note that these attacks require very precise timing, which may
be difficult to exploit in practice.

MITIGATION
==========

Running only HVM or PVH guests will avoid this vulnerability.

Running PV guests in "shim" mode will also avoid this vulnerability.

CREDITS
=======

This issue was discovered by Sarah Newman at prgmr.com.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa310/*.patch           xen-unstable, Xen 4.13 - 4.10
xsa310-4.9/*.patch       Xen 4.9 - 4.8

$ sha256sum xsa310* xsa310*/*
2208e40c71aa521ae487782bd751963ce696be451d10a179fcecdff7a0065369  xsa310.meta
8e75f0fb5fe890a661c8d46ec622131bc650f1a95b170b99569b50dd2224616c  xsa310-4.9/0001-x86-mm-Set-old_guest_table-when-destroying-vcpu-page.patch
3da404a0c088936ed92377ccef1fa6fdeb23900358ca9284e3488e8e1dcb5dd2  xsa310-4.9/0002-x86-mm-alloc-free_lN_table-Retain-partial_flags-on-E.patch
cd1a77c2f767474dcfbd1e6282ad3219ce2abcac2021b040120d40b52fc76bc8  xsa310-4.9/0003-x86-mm-relinquish_memory-Grab-an-extra-type-ref-when.patch
44c670a1b1b8164202766d52fb741e62c104118525eb7a3e56f4b232bcb8be3f  xsa310/0001-x86-mm-Set-old_guest_table-when-destroying-vcpu-page.patch
173dc0ffb4c572c8493bd9d5f3309b113e51888bdc9e462c78933f5c85f69b7a  xsa310/0002-x86-mm-alloc-free_lN_table-Retain-partial_flags-on-E.patch
1833fbfc2cdea9b37f161b09df947dffdd8db5e60a2f3512913de0e0c0d4b3ef  xsa310/0003-x86-mm-relinquish_memory-Grab-an-extra-type-ref-when.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl3w3F0MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ1noH/i6Sb3F6ZiaSl460OvdCRKd9lZm3ONunOH4IHuc6
+Q/G0G4b48UYfK/8FSAAjldv8tPOA5+j3GAFr2JgVtTWjP7tZyzSs0tDvn37sZrZ
D3l0AeOHxLCuSRxnoRDtpKiuJv71DrnYEfCDdc6R4DTZuciOWYpYq6PQTac5bLZX
8G5nR+33SvzdIpncvONa0Xqm1+Cgy8yOOQQJHeQvN7GJfVvs6AHepU5zuP2Ez42W
ReNA6o13xwiI8LGKvf8cV7s74JklIxR9gzkv4bBtMKInUY2loSIbKpI8E9GsVa3n
VOJ2kwKgGgszewBoVyJdGYY1ZlXeIdPjOj7+575bsRnDlGo=
=f2/B
-----END PGP SIGNATURE-----


Xenproject.org Security Team