Information

AdvisoryXSA-344
Public release 2020-09-22 12:00
Updated 2020-09-22 13:36
Version 4
CVE(s) CVE-2020-25601
Title lack of preemption in evtchn_reset() / evtchn_destroy()

Files

advisory-344.txt (signed advisory file)
xsa344.meta
xsa344/xsa344-1.patch
xsa344/xsa344-2.patch
xsa344/xsa344-4.10-1.patch
xsa344/xsa344-4.10-2.patch
xsa344/xsa344-4.11-1.patch
xsa344/xsa344-4.11-2.patch
xsa344/xsa344-4.12-1.patch
xsa344/xsa344-4.12-2.patch
xsa344/xsa344-4.13-1.patch
xsa344/xsa344-4.13-2.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-25601 / XSA-344
                               version 4

        lack of preemption in evtchn_reset() / evtchn_destroy()

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

In particular the FIFO event channel model allows guests to have a large
number of event channels active at a time.  Closing all of these when
resetting all event channels or when cleaning up after the guest may
take extended periods of time.  So far there was no arrangement for
preemption at suitable intervals, allowing a CPU to spend an almost
unbounded amount of time in the processing of these operations.

IMPACT
======

Malicious or buggy guest kernels can mount a Denial of Service (DoS)
attack affecting the entire system.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable in principle.  Whether versions 4.3
and older are vulnerable depends on underlying hardware characteristics.

MITIGATION
==========

The problem can be avoided by reducing the number of event channels
available to all guests to a suitably low limit.  For example, setting
"max_event_channels=256" in the xl domain configurations may be low
enough for all hardware Xen is able to run on.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa344/xsa344-?.patch           Xen 4.14 - xen-unstable
xsa344/xsa344-4.13-?.patch      Xen 4.13
xsa344/xsa344-4.12-?.patch      Xen 4.12
xsa344/xsa344-4.11-?.patch      Xen 4.11
xsa344/xsa344-4.10-?.patch      Xen 4.10

$ sha256sum xsa344* xsa344*/*
74ae97a618a3680920bed131e69656d5a7c039efbbec99b55b99af772e3e87df  xsa344.meta
5f9dbdc48bed502d614a76e5819afa41a72cec603c5a2c9491d73873a991a5ed  xsa344/xsa344-1.patch
381ca5c51bc120bfd5c742be3988f570abb870c4b75c8a48cf49ae4fa1046d73  xsa344/xsa344-2.patch
b52e4ecd6db8c3c6ebc0ab6facbd0f4fa0859657d13491819c3279fe439f66ec  xsa344/xsa344-4.10-1.patch
53ca9c954fd73344968f40689b0d0ea583bd19ece72166fd2d4eaa125b82f26f  xsa344/xsa344-4.10-2.patch
7abea30b406b0a572f7cd76bd9768d12262344a8e255ddd29d2ad893724638a0  xsa344/xsa344-4.11-1.patch
f2b39146ac410154043efd09880277e4e821a1dd47a0bd3000545e5568253b97  xsa344/xsa344-4.11-2.patch
a654c99f5d1c25d9d12ba267d2db10b0a1e0da337ce334fb5aafa6b2061ebc3c  xsa344/xsa344-4.12-1.patch
6af4e05f8536b11a3dc4c70620b8ed973ecf09efd4c64eb500f6363d5f0402e7  xsa344/xsa344-4.12-2.patch
9b81c7cf3cd33f9d43c43222a0434a8d4e0acff74f339a6842f16bfa2f304cb5  xsa344/xsa344-4.13-1.patch
80a41b7e08cdb54a28dfc82630a0d8d89fc25e381bc4505ed41017a760addf09  xsa344/xsa344-4.13-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl9p/egMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ114H/2QrxpADKwxDb2+aL8fhf46AJYwgxDa8SoI18INd
IVeHs8Lq4CQsfSFxBbXOWDGo82bUg43kwcdZ3ToSaX2JSC4R3r0us6tSdaRIqpNj
sQo56ozFXH63v4zTlB8gF58skm2n+CZQ5nKccnTUsN7KuqfPWm/2LfBnqnHYkYQ9
CVHBG5YXMnrHbASo+HglGqjgu6GyEsLoJpSQEj6oYF/UW86OYeAwZ2TFAFVZ/T04
XtxnH7aYCSMOeQRPU6BnCdoVKg/wn4ilSKyqYAin8uNFf7af3OSSCR4FTYkLX+VG
WYJnc27SUAb28+l9f65r8cwzs2+O5SlqhpqyS6xcM3A1248=
=UYAk
-----END PGP SIGNATURE-----


Xenproject.org Security Team