Information

AdvisoryXSA-464
Public release 2024-11-12 12:00
Updated 2024-11-12 12:04
Version 2
CVE(s) CVE-2024-45819
Title libxl leaks data to PVH guests via ACPI tables

Files

advisory-464.txt (signed advisory file)
xsa464.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2024-45819 / XSA-464
                               version 2

            libxl leaks data to PVH guests via ACPI tables

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

PVH guests have their ACPI tables constructed by the toolstack.  The
construction involves building the tables in local memory, which are
then copied into guest memory.  While actually used parts of the local
memory are filled in correctly, excess space that is being allocated is
left with its prior contents.

IMPACT
======

An unprivileged guest may be able to access sensitive information
pertaining to the host, control domain, or other guests.

VULNERABLE SYSTEMS
==================

Xen versions 4.8 and onwards are vulnerable.  Xen 4.7 and older are not
vulnerable.

Only x86 systems running PVH guests are vulnerable.  Architectures other
than x86 are not vulnerable.

Only PVH guests can leverage the vulnerability.  HVM and PV guests
cannot leverage the vulnerability.  Note that PV guests when run inside
the (PVH) shim can't leverage the vulnerability.

MITIGATION
==========

Running only PV or HVM guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Jason Andryuk of AMD.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa464.patch           xen-unstable - Xen 4.16.x

$ sha256sum xsa464*
16bca39d6136141e030276f588f1e77f634fce8301b42fb0848ddf2b611d835a  xsa464.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmczRE4MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZTG8H+wV+jRjwQcgPa2OQBuedO8V0Lpu1DqQnANU//oZK
4p5ntCeMJ9MnMlWGZhdOAwSQNgwYf17G2DezNK0XvRacfvB0/pUTH94EmKmyRkVl
vGgs302HkNb0Il84JN/HA9TtK5+g2kSa5J5prV9tu+nGvRZ1zZPnBEFohXvXdjr7
/KGSrbHbi5+6DdBZmmEUu65PLvQAochHvQLEHpoRp0MCVE8g0FQPFikmST39TLpJ
6SFfVZjdmYfOUN1BYcH6AYCuCXZfbUOlqm9y1Z2EX6N0chQXsBDbOFx7/0ey23fw
Wy9l49G//xaTR4X4uXTRiiXC7qxpclD0VKGlHKz1AUyUw6c=
=lRfn
-----END PGP SIGNATURE-----


Xenproject.org Security Team