Information

Advisory XSA-340
Public release 2020-09-22 12:00
Updated 2020-09-22 13:36
Version 3
CVE(s) CVE-2020-25603
Title Missing memory barriers when accessing/allocating an event channel

Files

advisory-340.txt (signed advisory file)
xsa340.meta
xsa340.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-25603 / XSA-340
                               version 3

  Missing memory barriers when accessing/allocating an event channel

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Event channels control structures can be accessed lockless as long as the port
is considered to be valid. Such sequence is missing appropriate memory barrier
(e.g smp_*mb()) to prevent both the compiler and CPU to re-order access.

IMPACT
======

A malicious guest may be able to cause a hypervisor crash resulting in a
Denial of Service (DoS). Information leak and privilege escalation cannot be
excluded.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.  Whether a system is
vulnerable will depend on the CPU and compiler used to build Xen.

For all the systems, the presence and the scope of the vulnerability
depends on the precise re-ordering performed by the compiler used to
build Xen.

We have not been able to survey compilers; consequently we cannot say
which compiler(s) might produce vulnerable code (with which code generation
options).  GCC documentation clearly suggests that re-ordering is possible.

Arm systems will also be vulnerable if the CPU is able to re-order memory
access.  Please consult your CPU vendor.

x86 systems are only vulnerable if a compiler performs re-ordering.

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

This issue was discovered by Julien Grall of Amazon.

RESOLUTION
==========

Applying the attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa340.patch           Xen 4.10 - xen-unstable

$ sha256sum xsa340*
72b75011b99e914ddb479082f88329063dcd1f55cc931059d950ecda276ee944  xsa340.meta
2bb088fcc1f8f79bf5ddb7b4e101cb1db76a343d2fb1cdafb7cd54612e4009da  xsa340.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl9p/ecMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZaBsH/RbQVpTAfl0zd7RyKXO34WZnWsYfwC+l8erEtf51
rmETfcqQP5rjNZZKEIDWcoYbJQU1DdC5tfVarUEYbGzCxPyBXlckcNKWmIVpkWnC
i+/XBALNjErN3AoJJOc8Tb3nfOZJlRrh3PXaqFo+xOqBn2vijgQJCXlpr1yRLDov
CatUy5DWmzVWVgByrkHs9Y+hsK7hb+DzxFvNiZUE7kv8a+R3F3smNgXDe/N7AasL
ZCJNVpfJGjqpk+EnffaTti9gd2aPxxzzmsWAoiW0C/6s/eJckhj/LxF7ZG5WbuVT
inhxm6zkQwBwvSTM7GLZpOuPXPegI8/RX+fO6lqsD0bcuQo=
=J1Xd
-----END PGP SIGNATURE-----

Xenproject.org Security Team