-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2020-25601 / XSA-344 version 4 lack of preemption in evtchn_reset() / evtchn_destroy() UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= In particular the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these when resetting all event channels or when cleaning up after the guest may take extended periods of time. So far there was no arrangement for preemption at suitable intervals, allowing a CPU to spend an almost unbounded amount of time in the processing of these operations. IMPACT ====== Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable in principle. Whether versions 4.3 and older are vulnerable depends on underlying hardware characteristics. MITIGATION ========== The problem can be avoided by reducing the number of event channels available to all guests to a suitably low limit. For example, setting "max_event_channels=256" in the xl domain configurations may be low enough for all hardware Xen is able to run on. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa344/xsa344-?.patch Xen 4.14 - xen-unstable xsa344/xsa344-4.13-?.patch Xen 4.13 xsa344/xsa344-4.12-?.patch Xen 4.12 xsa344/xsa344-4.11-?.patch Xen 4.11 xsa344/xsa344-4.10-?.patch Xen 4.10 $ sha256sum xsa344* xsa344*/* 74ae97a618a3680920bed131e69656d5a7c039efbbec99b55b99af772e3e87df xsa344.meta 5f9dbdc48bed502d614a76e5819afa41a72cec603c5a2c9491d73873a991a5ed xsa344/xsa344-1.patch 381ca5c51bc120bfd5c742be3988f570abb870c4b75c8a48cf49ae4fa1046d73 xsa344/xsa344-2.patch b52e4ecd6db8c3c6ebc0ab6facbd0f4fa0859657d13491819c3279fe439f66ec xsa344/xsa344-4.10-1.patch 53ca9c954fd73344968f40689b0d0ea583bd19ece72166fd2d4eaa125b82f26f xsa344/xsa344-4.10-2.patch 7abea30b406b0a572f7cd76bd9768d12262344a8e255ddd29d2ad893724638a0 xsa344/xsa344-4.11-1.patch f2b39146ac410154043efd09880277e4e821a1dd47a0bd3000545e5568253b97 xsa344/xsa344-4.11-2.patch a654c99f5d1c25d9d12ba267d2db10b0a1e0da337ce334fb5aafa6b2061ebc3c xsa344/xsa344-4.12-1.patch 6af4e05f8536b11a3dc4c70620b8ed973ecf09efd4c64eb500f6363d5f0402e7 xsa344/xsa344-4.12-2.patch 9b81c7cf3cd33f9d43c43222a0434a8d4e0acff74f339a6842f16bfa2f304cb5 xsa344/xsa344-4.13-1.patch 80a41b7e08cdb54a28dfc82630a0d8d89fc25e381bc4505ed41017a760addf09 xsa344/xsa344-4.13-2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl9p/egMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ114H/2QrxpADKwxDb2+aL8fhf46AJYwgxDa8SoI18INd IVeHs8Lq4CQsfSFxBbXOWDGo82bUg43kwcdZ3ToSaX2JSC4R3r0us6tSdaRIqpNj sQo56ozFXH63v4zTlB8gF58skm2n+CZQ5nKccnTUsN7KuqfPWm/2LfBnqnHYkYQ9 CVHBG5YXMnrHbASo+HglGqjgu6GyEsLoJpSQEj6oYF/UW86OYeAwZ2TFAFVZ/T04 XtxnH7aYCSMOeQRPU6BnCdoVKg/wn4ilSKyqYAin8uNFf7af3OSSCR4FTYkLX+VG WYJnc27SUAb28+l9f65r8cwzs2+O5SlqhpqyS6xcM3A1248= =UYAk -----END PGP SIGNATURE-----