From xen-announce-bounces@lists.xenproject.org Thu Feb 11 14:36:29 2021 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 11 Feb 2021 14:36:29 +0000 Received: from list by lists.xenproject.org with outflank-mailman.83919.157222 (Exim 4.92) (envelope-from ) id 1lAD4W-0003pM-II; Thu, 11 Feb 2021 14:35:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 83919.157222; Thu, 11 Feb 2021 14:35:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lAD4W-0003pF-Eq; Thu, 11 Feb 2021 14:35:56 +0000 Received: by outflank-mailman (input) for mailman id 83919; Thu, 11 Feb 2021 14:27:55 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lACwl-0002q0-Si for xen-announce@lists.xenproject.org; Thu, 11 Feb 2021 14:27:55 +0000 Received: from esa3.hc3370-68.iphmx.com (unknown [216.71.145.155]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id f36006ec-0cd6-4407-a3e8-cfa8154b6dfb; Thu, 11 Feb 2021 14:27:49 +0000 (UTC) X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: f36006ec-0cd6-4407-a3e8-cfa8154b6dfb DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1613053669; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=c7iwSsJTOcTGqSZjVHehbQ5NzPp/4ejwmXHlRhTugIk=; b=Jk3w5gtYZNTwH9emJUj9G+IyXwF09QGqRPjDxIAEw6Jd+n83zw+Vr7yR XNl7wK56hd6Y3r6PqfZJtpvlIXBPJqa4f1nHdFRAAD7mZcIe9HLF54FZT vSHPy5BN8+zRD9LsEDPqYlpy/m0979r9lfSLi3lOgfDpVfpMBKLfUHbNZ M=; Authentication-Results: esa3.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com IronPort-SDR: bZoNhGoIJ5G10Om0Wz5ZoTr8Q4THo4iJWSEF3mu2065qfUOa6OcZ7Z+t2+Rdc/Iw8sCV68tePQ ZDQt2fianuNBCjZc4Q/40dPpwdkC0wMPJO3MmKRziRmQ9Yi/5N8FPENez2d1LG9nE6cuFLvSo+ A+bhn/2xbI+DNvfDh1D+JHAvb9C3kq93BTUXzw4Yl+tH5zvfaysx+e/lFgjz6DdRi5D73jpXTE uU6071n1yeLswApBI9sGLRpYZswJ3jMoA0rzlCx44rf9OtngOOJN4vwbCS+ZZxTOdbwXauKwic Zbs= X-SBRS: 5.2 X-MesageID: 37043871 X-Ironport-Server: esa3.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.81,170,1610427600"; d="scan'208";a="37043871" ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WFI5r50LCvHn8Abwu3cUoTPPoG6rGziHkzuwQ3W+zZ9tx4J02tfSFDkzQaDP/r+CPb1OyUopFrV+TJ+a4W95+I6osnEoh2omxul17oGyaEqmziU+6XM8TotkpJBs/7T8Nu8np/kGHd247ddTUPIIiEHa0bfBJeUChLaYZKCOfSakg+UOv7rJth9ZdkjeGdnL+XvbrES8jWAkFlKMqx64gl+jYG5/oC5jJ25AhQ/O0nftqWL5ys23qRQkfIKj+P/OAxhGr9YXjb0teW36XuubfFPc+0kjqR8Hk0FSQ4oJfGnXZXj1H6Au6ZzOufj3U5Quz9ezDkfiPGLl95NByjf3Jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=c7iwSsJTOcTGqSZjVHehbQ5NzPp/4ejwmXHlRhTugIk=; b=Kf3abLoUhTgfjWzXy2h/yZ5kPyJJnGEBorvtdihEpGjfd3jHhh7tC6Wikzaze8knBMNKYqJd3UaFiuYTLn70deybvnIC5UXCpYcz3pflBv/uGppLZVb0cnVD0jkbLxEl37pyYRT7e5mF82gITE+0x+Owieds82t+5wZ529THLEJOihA+IB1pipWMNHZSlT8x3KWPrlTMyZ+KogCYF0hUh861lsqmivpJCo6lmHl15lkcZjufFd9p9Rog+pxAp4RjZBSikSnYrMoxfbL1/FnoSIEuOltO/TGXJNUtWBQa1mt8HvKX3HbBuWrf8xYaAHzYypDi9z5HzP7M7zGuc98WKg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.onmicrosoft.com; s=selector2-citrix-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=c7iwSsJTOcTGqSZjVHehbQ5NzPp/4ejwmXHlRhTugIk=; b=LmOsoZKdWJ+mLa85rqA+lNI3AK/SVM/bPtbxPYlq+P70oKjhZ7y9qlxFJCPqUGF5JIXoPsV06kE4Z8Wpgd7Ucc4KkDbgj4usLSF0VEnaKhn8e9Zu8rLKcmZqWD6wkVEMyMaDZt8EJ5sUfq8ETnPUc8H7ZAFfhb9TmjFHSSkZV4w= From: George Dunlap To: "open list:X86" CC: "xen-announce@lists.xenproject.org" , Rachel Romoff Subject: [ANNOUNCEMENT] XenSummit VIRTUAL 2021 May 25-28 Thread-Topic: [ANNOUNCEMENT] XenSummit VIRTUAL 2021 May 25-28 Thread-Index: AQHXAIIQsLp0dQjn7UyDlp9keXk32A== Date: Thu, 11 Feb 2021 14:27:45 +0000 Message-ID: <47E402B0-306E-4433-85D2-8471EC82101E@citrix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.3654.20.0.2.21) x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: d1e28a49-5eae-4420-4686-08d8ce99336e x-ms-traffictypediagnostic: PH0PR03MB5927: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:3631; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 3hal7gFEms/kD8gOeLS0p7byNCqnVuTbrCpeUL8z0Qnj3ivfHo5HxaaazkgYdcXntuFiwhMDmWNsFbexohHbDjcZJs8hxCyJUEI8CiZ80m4dZ7y9SLDOjpm08PyMOYSHrAFggpaM+e4QUUF/BMWsBDKdu2p75Eu/bpoTTM0EzRnw0qJWVX2VM0zBw6lUDmSHnteqq6syxqr81FefvEsp9oE1V3H+kEmHLFC5ceS15XMz95DXqn0eVn75tul1V8r5KDNXNmJigpRXBM89M+N5GsKkfw3WkXpvqkts5hgD+GuMvv+Lgw2hCh4wOvO1FoWznmhhqTisgzvnPsRsdzcFveWE0Omjoe+bz37ii8G9ZzlzV7k6dDHEWnLII0azUP8GNXAF4QwuYCcWE+1StA6IAfnnamnWwgDwOJAACWCHz1njfQX7pu7QHgnppgvBP5b5NoB2Zk2WM75m+5cWreo9gRR9WUoaNm7j8tYA5j8VFe+527uh3DruwU88H9p4pLjYDA+9hjKTjmxJEm6y1pfUqbqdQQLh3Q7kN+ifeu2Yo5GlBllldMJ3O71Dt61BzOtweMihUijESHQrjgm/PZYLOs6EJmGYY18y0Y/RUXT90hhZUBkdNfMwQahasiy2bOo1+UFMyiu1hMro+w5wXvMMwAN1u/5A16Qv5oe/QiXm3wA= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR03MB5669.namprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(346002)(366004)(396003)(376002)(39860400002)(2616005)(83380400001)(5660300002)(4744005)(966005)(91956017)(76116006)(66446008)(86362001)(66946007)(6486002)(64756008)(66556008)(66476007)(478600001)(2906002)(4326008)(6512007)(36756003)(71200400001)(8676002)(33656002)(6916009)(8936002)(26005)(186003)(6506007)(316002)(54906003)(45980500001);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?dI1XBY2y2UGwQkueWIElmydKGJa37z92r211+MlDSYKOjI1Xs7LK0cUQq6y4?= =?us-ascii?Q?1SNUwJw0UkuB7ZG/YFHJO3F2Li2wCsKNUiFLibIimJGPriztXmlpWIYVxCp1?= =?us-ascii?Q?yGZBa+5IkShzhvHC0c1ei32ZOr5A0KXynx5/4L6CijYLc6IK6h+u+hGnlerQ?= =?us-ascii?Q?oK17hrkTsRxKCYBm5a+Y85gi3fadPolhp+DQCgqAz68Ff8j7caek1Mj91I8b?= =?us-ascii?Q?wF6pg6YcBWYQOYP/kF3U6NipPJRC7Dq3KQbxrdk46X908guhPr04Y64yvOup?= =?us-ascii?Q?RlsR825K0XEp7if/EWEkVCRS5t11+r1SPKY9NqtwlSJZS+GslWWDBHRanLna?= =?us-ascii?Q?tsd2YO2D6XlzIN3nlwsiHwwZEBEkUvDFk/L7oDrDkzrmnDo4pSm7Qilx5R69?= =?us-ascii?Q?610EQwHlfr067W8MRQ2re6xvPIS9u12/loHqq14aGlo9rn6UHQIIPMknjwsX?= =?us-ascii?Q?eBhcmxkq1k8sbxPhB3BRiwmxaHjM/PI2fS1qEWortjEhiWELEp7Hnw0tnLpW?= =?us-ascii?Q?trkBsW78+VNmDkXx1DFfyCQQ5RoGpt0x8WQDJCVK5LekfMisdS/7aa4YBQ/M?= =?us-ascii?Q?stXydIScn6CBlA479qPrv8Lh+qT2Suel6z0GUF9///TdoUSh88KQy8ZKBY9a?= =?us-ascii?Q?3DwNwbPc+n2Q0YAvyd30q4h3HUT8SvpkBxGkcOaWiicxDECOLewiWrgqB/oV?= =?us-ascii?Q?slHXNd2gEVcEA4+0kxQXlDIjzOb9ka8qn6Uv/X72pokA5o+dIE19BHD1BlfC?= =?us-ascii?Q?hzBe1XQBTrpjsIczl16Dgk2KdZ+mFEEGLp7T6cmdtR6Jl0FIB6xh585ySL8N?= =?us-ascii?Q?Gqghm72SVIuCu/JfaWI+jQlZKwL2zPMIJ7+PsqVPDY2paoKm98ChB7jmoIl9?= =?us-ascii?Q?zYOIf4H5ZVxx0c4JUeRyNU76wO14dRSoBHo3BugNR7h2YYgpYVerH3mipLwU?= =?us-ascii?Q?rohXRAl9ucp5y+Kdl9xXoLy71vRL1zrp4LvvMoMw1VVnTpNhLUmlBuzVbOzG?= =?us-ascii?Q?vlNBATyfTHM4/Y0BFpJ8VmOPQ/cwd1qNvCj+H37dmgU5Pvd/xRhx/pga3O7o?= =?us-ascii?Q?7lWszdkyMyt9sm/4KayPoWC1yF/miJwNcGHafrfNOpd5V4VO0him1gVEPH7m?= =?us-ascii?Q?XLrmplf3/MraHyq8cIh37pxRDpy1KqkHfMlJvP3MfiVZOMhsia40MncsWFJK?= =?us-ascii?Q?cwr6WWHNhGEgXmbLSbAHA37dElm0wsjJfROD/rxUZp8zW/qmnNANHUGS+45M?= =?us-ascii?Q?orgLH8wvbeyhNEoTl7y8aOkJbMf2qiksySTroq1eGY2x2ZVOzUDchce3n0ov?= =?us-ascii?Q?LtcQLJCXwuHx4K9q6MpotAxPCBROZmLlbejDx3EmEp1emQ=3D=3D?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="us-ascii" Content-ID: <02FA38D31C89AC428265570B6F32D8F9@namprd03.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR03MB5669.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: d1e28a49-5eae-4420-4686-08d8ce99336e X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Feb 2021 14:27:46.0053 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 335836de-42ef-43a2-b145-348c2ee9ca5b X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: zNvtUKR7d8sAkAbXXxC50B6iAZsP897YPj7nz7ch0nmzZ+7pshugPFiSXP+qnFzpBSVuXhwt6vWB2RK/GfjsfUWXoRWPLJG9HnsxkRBErYM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR03MB5927 X-OriginatorOrg: citrix.com Hello everyone! Submissions are now open for The XenProject Design and Developer Summit, to= be held virtually, May 25-28. CFP closes 11:59pm PST on Friday, April 2, and notifications will be made o= n 19 April. As always, a significant chunk of time will be dedicated to attendee-submit= ted design sessions. Main event link: https://events.linuxfoundation.org/xen-summit/ CFP Link: https://events.linuxfoundation.org/xen-summit/program/cfp/ -George Dunlap= From xen-announce-bounces@lists.xenproject.org Tue Feb 16 12:36:12 2021 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Feb 2021 12:36:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.85534.160457 (Exim 4.92) (envelope-from ) id 1lBzaB-0002CC-Qu; Tue, 16 Feb 2021 12:35:59 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 85534.160457; Tue, 16 Feb 2021 12:35:59 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBzaB-0002Bx-ME; Tue, 16 Feb 2021 12:35:59 +0000 Received: by outflank-mailman (input) for mailman id 85534; Tue, 16 Feb 2021 12:35:58 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBzaA-0001zb-4p for xen-announce@lists.xen.org; Tue, 16 Feb 2021 12:35:58 +0000 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id e7cbe405-2f49-4d8d-b1e0-17b00f36c61f; Tue, 16 Feb 2021 12:35:36 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBzZk-0008NO-5U; Tue, 16 Feb 2021 12:35:32 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1lBzZk-0002dG-4W; Tue, 16 Feb 2021 12:35:32 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: e7cbe405-2f49-4d8d-b1e0-17b00f36c61f DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:CC:From:To:MIME-Version: Content-Transfer-Encoding:Content-Type; bh=6tV55iGlOj7+xKBOO1uuq23eO+x9bBJGrqnaJXGM2+U=; b=roUx5Vw3x3kv1tIxON22i8ODSL MsKzPjCaj+6V9eQ8nrLYY4nOCpHM789U9I2GXZR4Pzx3QDB99QDFDwUCtg1m0/ShnLcSmp+Douwsi zEYJDCmJqNDdvdWN5BUUOGSds7M2oo9OFj+OwoRAzEyJ7NYSvexCbsO6z6mKFGcGXsTs=; Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 365 v3 (CVE-2021-26930) - Linux: error handling issues in blkback's grant mapping Message-Id: Date: Tue, 16 Feb 2021 12:35:32 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2021-26930 / XSA-365 version 3 Linux: error handling issues in blkback's grant mapping UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= To service requests, the driver maps grant references provided by the frontend. In this process, errors may be encountered. In one case an error encountered earlier might be discarded by later processing, resulting in the caller assuming successful mapping, and hence subsequent operations trying to access space that wasn't mapped. In another case internal state would be insufficiently updated, preventing safe recovery from the error. IMPACT ====== A malicious or buggy frontend driver may be able to crash the corresponding backend driver, potentially affecting the entire domain running the backend driver. In configurations without driver domains or similar disaggregation, that is a host-wide denial of sevice. Privilege escalation and information leaks cannot be ruled out. VULNERABLE SYSTEMS ================== Linux versions from at least 3.11 onwards are vulnerable. MITIGATION ========== Reconfiguring guests to use alternative (e.g. qemu-based) backends may avoid the vulnerability. CREDITS ======= This issue was discovered by Olivier Benjamin, Norbert Manthey, Martin Mazein, and Jan H. Schönherr, all from Amazon. RESOLUTION ========== Applying the attached patch resolves this issue. xsa365-linux.patch Linux 5.11-rc - 5.10 $ sha256sum xsa365* 7e45fcf3c70eb40debe9997a1773de7c4a2edcde5c23f76aeb5c1b6e3a34a654 xsa365-linux.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. HOWEVER, deployment of the non-kernel-based backends mitigation described above is NOT permitted during the embargo on public-facing systems with untrusted guest users and administrators. This is because such a configuration change may be recognizable by the affected guests. AND: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAru/UMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZnpQH/jMHOQao08C5s4VlCUIDJTJ8AZXIjFKW2zOKBqt5 Gp7HiRZSLKa2s/dqxIdiVHTnMzGyFegfzK0AeLjLeftSbOANSvI9tx/S6ajOr6Mx s5j0r2JzCBsh1bULJbRV7MBVaRqyOR77i3sREu7o0uuRxMd0RNnck7rVm0slmG1P FoFfC2tF+gxnYZi8tpBS4aY/e3tZ4y+J6s0Fgyfln4p33/j1JwILzzYscGnRdDvG 31DnotOq3E+TqcTZRK4BrLJqZodZLsd9en1DriJj2dDqrobs6QS4sZkHKX20gcxC RnGvkdHXI+u/du6qpb3GHep2F5pg5+2vMzBNvxxBjr8vmi4= =HBCB -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa365-linux.patch" Content-Disposition: attachment; filename="xsa365-linux.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW4tYmxrYmFjazogZml4IGVycm9yIGhhbmRsaW5nIGluIHhlbl9ibGti a19tYXAoKQoKVGhlIGZ1bmN0aW9uIHVzZXMgYSBnb3RvLWJhc2VkIGxvb3As IHdoaWNoIG1heSBsZWFkIHRvIGFuIGVhcmxpZXIgZXJyb3IKZ2V0dGluZyBk aXNjYXJkZWQgYnkgYSBsYXRlciBpdGVyYXRpb24uIEV4aXQgdGhpcyBhZC1o b2MgbG9vcCB3aGVuIGFuCmVycm9yIHdhcyBlbmNvdW50ZXJlZC4KClRoZSBv dXQtb2YtbWVtb3J5IGVycm9yIHBhdGggYWRkaXRpb25hbGx5IGZhaWxzIHRv IGZpbGwgYSBzdHJ1Y3R1cmUKZmllbGQgbG9va2VkIGF0IGJ5IHhlbl9ibGti a191bm1hcF9wcmVwYXJlKCkgYmVmb3JlIGluc3BlY3RpbmcgdGhlCmhhbmRs ZSB3aGljaCBkb2VzIGdldCBwcm9wZXJseSBzZXQgKHRvIEJMS0JBQ0tfSU5W QUxJRF9IQU5ETEUpLgoKU2luY2UgdGhlIGVhcmxpZXIgZXhpdGluZyBmcm9t IHRoZSBhZC1ob2MgbG9vcCByZXF1aXJlcyB0aGUgc2FtZSBmaWVsZApmaWxs aW5nIChpbnZhbGlkYXRpb24pIGFzIHRoYXQgb24gdGhlIG91dC1vZi1tZW1v cnkgcGF0aCwgZm9sZCBib3RoCnBhdGhzLiBXaGlsZSBkb2luZyBzbywgZHJv cCB0aGUgcHJfYWxlcnQoKSwgYXMgZXh0cmEgbG9nIG1lc3NhZ2VzIGFyZW4n dApnb2luZyB0byBoZWxwIHRoZSBzaXR1YXRpb24gKHRoZSBrZXJuZWwgd2ls bCBsb2cgb29tIGNvbmRpdGlvbnMgYWxyZWFkeQphbnl3YXkpLgoKVGhpcyBp cyBYU0EtMzY1LgoKUmVwb3J0ZWQtYnk6IEJqb2VybiBEb2ViZWwgPGRvZWJl bEBhbWF6b24uZGU+ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1 bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEp1ZXJnZW4gR3Jvc3MgPGpn cm9zc0BzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBHcmFsbCA8anVs aWVuQHhlbi5vcmc+Ci0tLQp2MjogQXZvaWQgb3ZlcndyaXRpbmcgdmFsaWQg LT5wZXJzaXN0ZW50X2dudCBmaWVsZHMuCgotLS0gYS9kcml2ZXJzL2Jsb2Nr L3hlbi1ibGtiYWNrL2Jsa2JhY2suYworKysgYi9kcml2ZXJzL2Jsb2NrL3hl bi1ibGtiYWNrL2Jsa2JhY2suYwpAQCAtNzk0LDggKzc5NCwxMyBAQCBhZ2Fp bjoKIAkJCXBhZ2VzW2ldLT5wZXJzaXN0ZW50X2dudCA9IHBlcnNpc3RlbnRf Z250OwogCQl9IGVsc2UgewogCQkJaWYgKGdudHRhYl9wYWdlX2NhY2hlX2dl dCgmcmluZy0+ZnJlZV9wYWdlcywKLQkJCQkJCSAgJnBhZ2VzW2ldLT5wYWdl KSkKLQkJCQlnb3RvIG91dF9vZl9tZW1vcnk7CisJCQkJCQkgICZwYWdlc1tp XS0+cGFnZSkpIHsKKwkJCQlnbnR0YWJfcGFnZV9jYWNoZV9wdXQoJnJpbmct PmZyZWVfcGFnZXMsCisJCQkJCQkgICAgICBwYWdlc190b19nbnQsCisJCQkJ CQkgICAgICBzZWdzX3RvX21hcCk7CisJCQkJcmV0ID0gLUVOT01FTTsKKwkJ CQlnb3RvIG91dDsKKwkJCX0KIAkJCWFkZHIgPSB2YWRkcihwYWdlc1tpXS0+ cGFnZSk7CiAJCQlwYWdlc190b19nbnRbc2Vnc190b19tYXBdID0gcGFnZXNb aV0tPnBhZ2U7CiAJCQlwYWdlc1tpXS0+cGVyc2lzdGVudF9nbnQgPSBOVUxM OwpAQCAtODgwLDE3ICs4ODUsMTggQEAgbmV4dDoKIAl9CiAJc2Vnc190b19t YXAgPSAwOwogCWxhc3RfbWFwID0gbWFwX3VudGlsOwotCWlmIChtYXBfdW50 aWwgIT0gbnVtKQorCWlmICghcmV0ICYmIG1hcF91bnRpbCAhPSBudW0pCiAJ CWdvdG8gYWdhaW47CiAKLQlyZXR1cm4gcmV0OwotCi1vdXRfb2ZfbWVtb3J5 OgotCXByX2FsZXJ0KCIlczogb3V0IG9mIG1lbW9yeVxuIiwgX19mdW5jX18p OwotCWdudHRhYl9wYWdlX2NhY2hlX3B1dCgmcmluZy0+ZnJlZV9wYWdlcywg cGFnZXNfdG9fZ250LCBzZWdzX3RvX21hcCk7Ci0JZm9yIChpID0gbGFzdF9t YXA7IGkgPCBudW07IGkrKykKK291dDoKKwlmb3IgKGkgPSBsYXN0X21hcDsg aSA8IG51bTsgaSsrKSB7CisJCS8qIERvbid0IHphcCBjdXJyZW50IGJhdGNo J3MgdmFsaWQgcGVyc2lzdGVudCBncmFudHMuICovCisJCWlmKGkgPj0gbGFz dF9tYXAgKyBzZWdzX3RvX21hcCkKKwkJCXBhZ2VzW2ldLT5wZXJzaXN0ZW50 X2dudCA9IE5VTEw7CiAJCXBhZ2VzW2ldLT5oYW5kbGUgPSBCTEtCQUNLX0lO VkFMSURfSEFORExFOwotCXJldHVybiAtRU5PTUVNOworCX0KKworCXJldHVy biByZXQ7CiB9CiAKIHN0YXRpYyBpbnQgeGVuX2Jsa2JrX21hcF9zZWcoc3Ry dWN0IHBlbmRpbmdfcmVxICpwZW5kaW5nX3JlcSkK --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Feb 16 12:36:12 2021 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Feb 2021 12:36:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.85530.160406 (Exim 4.92) (envelope-from ) id 1lBza4-00023y-ER; Tue, 16 Feb 2021 12:35:52 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 85530.160406; Tue, 16 Feb 2021 12:35:52 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBza4-00023n-A8; Tue, 16 Feb 2021 12:35:52 +0000 Received: by outflank-mailman (input) for mailman id 85530; Tue, 16 Feb 2021 12:35:50 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBza2-0001zG-Pk for xen-announce@lists.xen.org; Tue, 16 Feb 2021 12:35:50 +0000 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id cc82297d-811e-47da-95c3-8465355eaf5e; Tue, 16 Feb 2021 12:35:35 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBzZi-0008Mx-Q1; Tue, 16 Feb 2021 12:35:30 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1lBzZi-0002bO-P6; Tue, 16 Feb 2021 12:35:30 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: cc82297d-811e-47da-95c3-8465355eaf5e DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:CC:From:To:MIME-Version: Content-Transfer-Encoding:Content-Type; bh=CNx9HA2TuAgcqoV4Hd77YdCoDcvs1DeLFjIGIr9cIf8=; b=VNhge+CiWitYtuDMDdiguZfn3B obUidPsr5cz3im2ad4rV5YsGbjJbYFE5FYlUnP8elWnZbO9bjGekvUFcfkltrDh9aipBXOd65NcP0 j4WJcnoja+Yva7WGZjdXG/fdKbPHTdz3VuXv+wY+CqwcQZprR16SROClEB74DU33CmgQ=; Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 363 v3 (CVE-2021-26934) - Linux: display frontend "be-alloc" mode is unsupported Message-Id: Date: Tue, 16 Feb 2021 12:35:30 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2021-26934 / XSA-363 version 3 Linux: display frontend "be-alloc" mode is unsupported UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The backend allocation mode of Linux'es drm_xen_front drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry. IMPACT ====== Use of the feature may have unknown effects. VULNERABLE SYSTEMS ================== Linux versions from 4.18 onwards are affected. Earlier Linux versions do not provide the affected driver. MITIGATION ========== Not using the driver or its backend allocation mode will avoid the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the attached patch documents the situation. The patch does not fix any security issues. xsa363.patch xen-unstable $ sha256sum xsa363* cf2f2eff446aec625b19d9d01301ec66098b58b792d74012235f10c62a21bb68 xsa363.patch $ -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAru/UMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZSocH/3jAI0MeZtnhvuyOM4CxkNmr0fI4HIXnA1xGNhWY Wa2WgtOuFVaPUFX1Tj/e6zCoibatl1gicETI9hL+w4Dg6/GzIeTogOuzv5D6Ux91 9a6n2tryFfSAs0OxTKq6etLv63VEEicYMHrZT8n700JFvJsAWYAMvuanMDknGxBP 5/Z+DASnZxT09cpvP4REKuG7rW9vIif+6EZ0T0kU87InouDts/YOhzNsdvBD1wKH y5e/MZh2sOyMOovuhgbvoK+YezHTAcZeGWnUk3yQoTGnW3p+W9XZVURsc8/e2FbZ heY3Tj918LsY50wGpMZ2PDoHC8PSHaUqEOTq0MPmnPlppvU= =tJD0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa363.patch" Content-Disposition: attachment; filename="xsa363.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiBTVVBQT1JULm1kOiBQViBkaXNwbGF5IGZyb250ZW5kIGlzIHVuc3VwcG9y dGVkIGluICJiYWNrZW5kIGFsbG9jYXRpb24iIG1vZGUKClRoaXMgd2Fzbid0 IG1lYW50IHRvIGJlIHN1cHBvcnRlZCwgYnV0IHdhc24ndCBzdGF0ZWQgdGhp cyB3YXkuCgpUaGlzIGlzIFhTQS0zNjMuCgpSZXBvcnRlZC1ieTogSmFuIEJl bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBC ZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KCi0tLSBhL1NVUFBPUlQubWQK KysrIGIvU1VQUE9SVC5tZApAQCAtNDE0LDcgKzQxNCw4IEBAIEd1ZXN0LXNp ZGUgZHJpdmVyIGNhcGFibGUgb2Ygc3BlYWtpbmcgdGgKIAogR3Vlc3Qtc2lk ZSBkcml2ZXIgY2FwYWJsZSBvZiBzcGVha2luZyB0aGUgWGVuIFBWIGRpc3Bs YXkgcHJvdG9jb2wKIAotICAgIFN0YXR1cywgTGludXg6IFN1cHBvcnRlZAor ICAgIFN0YXR1cywgTGludXg6IFN1cHBvcnRlZCAob3V0c2lkZSBvZiAiYmFj a2VuZCBhbGxvY2F0aW9uIiBtb2RlKQorICAgIFN0YXR1cywgTGludXg6IEV4 cGVyaW1lbnRhbCAoaW4gImJhY2tlbmQgYWxsb2NhdGlvbiIgbW9kZSkKIAog IyMjIFBWIENvbnNvbGUgKGZyb250ZW5kKQogCg== --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Feb 16 12:36:12 2021 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Feb 2021 12:36:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.85540.160499 (Exim 4.92) (envelope-from ) id 1lBzaJ-0002Og-75; Tue, 16 Feb 2021 12:36:07 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 85540.160499; Tue, 16 Feb 2021 12:36:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBzaJ-0002OP-0b; Tue, 16 Feb 2021 12:36:07 +0000 Received: by outflank-mailman (input) for mailman id 85540; Tue, 16 Feb 2021 12:36:05 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBzaH-0001zG-QQ for xen-announce@lists.xen.org; Tue, 16 Feb 2021 12:36:05 +0000 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 64ffd9fb-5b5f-406e-9569-84fe0147aac7; Tue, 16 Feb 2021 12:35:34 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBzZh-0008Mj-8f; Tue, 16 Feb 2021 12:35:29 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1lBzZh-0002ZO-3z; Tue, 16 Feb 2021 12:35:29 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: 64ffd9fb-5b5f-406e-9569-84fe0147aac7 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:CC:From:To:MIME-Version: Content-Transfer-Encoding:Content-Type; bh=6uIFfku8/Q5IsCoK+QTF4nmrkhXMtquEX3JaPS97YIU=; b=bDZA++vMBKc3gSRgVHpMDYWhO6 a53h5gkN/Mu4INhupxvR4tjZNbkCU5xxc3by3YuhgFlU4ZuYvxfBO3WrHXXNTrSrmxQJavmiQhG4D gPwrhsRPEY7e7CMImoH5qAIWoeh59TPhU8+VouZK4Tu9liTXg5qO6UH9yomsgTpaaZ9o=; Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 361 v4 (CVE-2021-26932) - Linux: grant mapping error handling issues Message-Id: Date: Tue, 16 Feb 2021 12:35:29 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2021-26932 / XSA-361 version 4 Linux: grant mapping error handling issues UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. IMPACT ====== A malicious or buggy frontend driver may be able to crash the corresponding backend driver, causing a denial of service potentially affecting the entire domain running the backend driver. A malicious or buggy frontend driver may be able to cause resource leaks in the domain running the corresponding backend driver, leading to a denial of service. VULNERABLE SYSTEMS ================== All Linux versions back to at least 3.2 are vulnerable, when running in PV mode on x86 or when running on Arm. On x86, only systems with Linux backends running in PV mode are vulnerable. Linux backends run in HVM / PVH modes are not vulnerable. MITIGATION ========== On x86, running the backends in HVM or PVH domains will avoid the vulnerability. For protocols where other, e.g. non-kernel-based backends are available, reconfiguring guests to use alternative (e.g. qemu-based) backends may allow to avoid the vulnerability as long as these backends don't rely on similar functionality provided by the xen-gntdev (/dev/gntdev) driver. In all other cases there is no known mitigation. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the attached patches resolves this issue. xsa361-linux-1.patch Linux 5.11-rc - 3.19 xsa361-linux-2.patch Linux 5.11-rc - 3.15 xsa361-linux-3.patch Linux 5.11-rc - 4.19 xsa361-linux-4.patch Linux 5.11-rc - 4.19 xsa361-linux-5.patch Linux 5.11-rc - 4.4 $ sha256sum xsa361* bb00ab6319b4fc536566af50c73e064f10f8b99eaa6b0f0b35a8d174c285a905 xsa361-linux-1.patch 73b6a54aa3773ce11f0de6b9aa1d80dd7f4c297dc71924b1a3886bc3b99ac859 xsa361-linux-2.patch 8e554cfab8cdb4fe1b74601a9432ea4c570f74a952ad757f9294ba1666cbeaea xsa361-linux-3.patch 8c290895d10fc148f99e2a6587811b3037f29c3a0201d69d448ff520cea6f96d xsa361-linux-4.patch 231ae3e1b9bec1b75dbbbee4b5acff620ef7ac2853332aa7b3c4957c6ca7f341 xsa361-linux-5.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. Deployment of the mitigation to switch to HVM / PVH backend domains is also permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. HOWEVER, deployment of the non-kernel-based backends mitigation described above is NOT permitted during the embargo on public-facing systems with untrusted guest users and administrators. This is because such a configuration change may be recognizable by the affected guests. AND: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAru/QMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZmFkH/Ay1RoZbbcA4ywdhy9xdnpt0DHMFLjZSbE4sNTi+ J+m9rn69UTK01VDD0RUohTcmWO0nv8ZD+jKETsSq31GiYhVk7XnSmCJkzILGujr8 cf+7jUWWJPcqBmN7xcLBaor9lhpKfMpYlMLBG7twIRHfqOSw6Sm+iD4YC23nkGKF Cb8tpkYCpX3dPMMP74nX00Wta2rqd1BrpAGvAnt9hrHIBfTcpwWE8A4H1eFL/7Dv 5+pVvrSMkyzaR5kI/QBeriXsuOP509CiafUBpeXU85pGWpLgZAqD+puodEVQ2fpT /MqATdNRhgnCzqSqh/ElN/1ZdB7406DbdCnErJiyDdN/OCE= =DUXr -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa361-linux-1.patch" Content-Disposition: attachment; filename="xsa361-linux-1.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiBYZW4veDg2OiBkb24ndCBiYWlsIGVhcmx5IGZyb20gY2xlYXJfZm9yZWln bl9wMm1fbWFwcGluZygpCgpJdHMgc2libGluZyAoc2V0X2ZvcmVpZ25fcDJt X21hcHBpbmcoKSkgYXMgd2VsbCBhcyB0aGUgc2libGluZyBvZiBpdHMKb25s eSBjYWxsZXIgKGdudHRhYl9tYXBfcmVmcygpKSBkb24ndCBjbGVhbiB1cCBh ZnRlciB0aGVtc2VsdmVzIGluIGNhc2UKb2YgZXJyb3IuIEhpZ2hlciBsZXZl bCBjYWxsZXJzIGFyZSBleHBlY3RlZCB0byBkbyBzby4gSG93ZXZlciwgaW4g b3JkZXIKZm9yIHRoYXQgdG8gcmVhbGx5IGNsZWFuIHVwIGFueSBwYXJ0aWFs bHkgc2V0IHVwIHN0YXRlLCB0aGUgb3BlcmF0aW9uCnNob3VsZCBub3QgdGVy bWluYXRlIHVwb24gZW5jb3VudGVyaW5nIGFuIGVudHJ5IGluIHVuZXhwZWN0 ZWQgc3RhdGUuIEl0CmlzIHBhcnRpY3VsYXJseSByZWxldmFudCB0byBub3Rp Y2UgaGVyZSB0aGF0IHNldF9mb3JlaWduX3AybV9tYXBwaW5nKCkKd291bGQg c2tpcCBzZXR0aW5nIHVwIGEgcDJtIGVudHJ5IGlmIGl0cyBncmFudCBtYXBw aW5nIGZhaWxlZCwgYnV0IGl0CndvdWxkIGNvbnRpbnVlIHRvIHNldCB1cCBm dXJ0aGVyIHAybSBlbnRyaWVzIGFzIGxvbmcgYXMgdGhlaXIgbWFwcGluZ3MK c3VjY2VlZGVkLgoKQXJndWFibHkgZG93biB0aGUgcm9hZCBzZXRfZm9yZWln bl9wMm1fbWFwcGluZygpIG1heSB3YW50IGl0cyBwYWdlIHN0YXRlCnJlbGF0 ZWQgV0FSTl9PTigpIGFsc28gY29udmVydGVkIHRvIGFuIGVycm9yIHJldHVy bi4KClRoaXMgaXMgcGFydCBvZiBYU0EtMzYxLgoKU2lnbmVkLW9mZi1ieTog SmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpDYzogc3RhYmxlQHZn ZXIua2VybmVsLm9yZwpSZXZpZXdlZC1ieTogSnVlcmdlbiBHcm9zcyA8amdy b3NzQHN1c2UuY29tPgoKLS0tIGEvYXJjaC94ODYveGVuL3AybS5jCisrKyBi L2FyY2gveDg2L3hlbi9wMm0uYwpAQCAtNzUwLDE3ICs3NTAsMTUgQEAgaW50 IGNsZWFyX2ZvcmVpZ25fcDJtX21hcHBpbmcoc3RydWN0IGdudAogCQl1bnNp Z25lZCBsb25nIG1mbiA9IF9fcGZuX3RvX21mbihwYWdlX3RvX3BmbihwYWdl c1tpXSkpOwogCQl1bnNpZ25lZCBsb25nIHBmbiA9IHBhZ2VfdG9fcGZuKHBh Z2VzW2ldKTsKIAotCQlpZiAobWZuID09IElOVkFMSURfUDJNX0VOVFJZIHx8 ICEobWZuICYgRk9SRUlHTl9GUkFNRV9CSVQpKSB7CisJCWlmIChtZm4gIT0g SU5WQUxJRF9QMk1fRU5UUlkgJiYgKG1mbiAmIEZPUkVJR05fRlJBTUVfQklU KSkKKwkJCXNldF9waHlzX3RvX21hY2hpbmUocGZuLCBJTlZBTElEX1AyTV9F TlRSWSk7CisJCWVsc2UKIAkJCXJldCA9IC1FSU5WQUw7Ci0JCQlnb3RvIG91 dDsKLQkJfQotCi0JCXNldF9waHlzX3RvX21hY2hpbmUocGZuLCBJTlZBTElE X1AyTV9FTlRSWSk7CiAJfQogCWlmIChrdW5tYXBfb3BzKQogCQlyZXQgPSBI WVBFUlZJU09SX2dyYW50X3RhYmxlX29wKEdOVFRBQk9QX3VubWFwX2dyYW50 X3JlZiwKLQkJCQkJCWt1bm1hcF9vcHMsIGNvdW50KTsKLW91dDoKKwkJCQkJ CWt1bm1hcF9vcHMsIGNvdW50KSA/OiByZXQ7CisKIAlyZXR1cm4gcmV0Owog fQogRVhQT1JUX1NZTUJPTF9HUEwoY2xlYXJfZm9yZWlnbl9wMm1fbWFwcGlu Zyk7Cg== --=separator Content-Type: application/octet-stream; name="xsa361-linux-2.patch" Content-Disposition: attachment; filename="xsa361-linux-2.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiBYZW4veDg2OiBhbHNvIGNoZWNrIGtlcm5lbCBtYXBwaW5nIGluIHNldF9m b3JlaWduX3AybV9tYXBwaW5nKCkKCldlIHNob3VsZCBub3Qgc2V0IHVwIGZ1 cnRoZXIgc3RhdGUgaWYgZWl0aGVyIG1hcHBpbmcgZmFpbGVkOyBwYXlpbmcK YXR0ZW50aW9uIHRvIGp1c3QgdGhlIHVzZXIgbWFwcGluZydzIHN0YXR1cyBp c24ndCBlbm91Z2guCgpBbHNvIHVzZSBHTlRTVF9va2F5IGluc3RlYWQgb2Yg aW1wbHlpbmcgaXRzIHZhbHVlICh6ZXJvKS4KClRoaXMgaXMgcGFydCBvZiBY U0EtMzYxLgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNo QHN1c2UuY29tPgpDYzogc3RhYmxlQHZnZXIua2VybmVsLm9yZwpSZXZpZXdl ZC1ieTogSnVlcmdlbiBHcm9zcyA8amdyb3NzQHN1c2UuY29tPgoKLS0tIGEv YXJjaC94ODYveGVuL3AybS5jCisrKyBiL2FyY2gveDg2L3hlbi9wMm0uYwpA QCAtNzEyLDcgKzcxMiw4IEBAIGludCBzZXRfZm9yZWlnbl9wMm1fbWFwcGlu ZyhzdHJ1Y3QgZ250dGEKIAkJdW5zaWduZWQgbG9uZyBtZm4sIHBmbjsKIAog CQkvKiBEbyBub3QgYWRkIHRvIG92ZXJyaWRlIGlmIHRoZSBtYXAgZmFpbGVk LiAqLwotCQlpZiAobWFwX29wc1tpXS5zdGF0dXMpCisJCWlmIChtYXBfb3Bz W2ldLnN0YXR1cyAhPSBHTlRTVF9va2F5IHx8CisJCSAgICAoa21hcF9vcHMg JiYga21hcF9vcHNbaV0uc3RhdHVzICE9IEdOVFNUX29rYXkpKQogCQkJY29u dGludWU7CiAKIAkJaWYgKG1hcF9vcHNbaV0uZmxhZ3MgJiBHTlRNQVBfY29u dGFpbnNfcHRlKSB7Cg== --=separator Content-Type: application/octet-stream; name="xsa361-linux-3.patch" Content-Disposition: attachment; filename="xsa361-linux-3.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiBYZW4vZ250ZGV2OiBjb3JyZWN0IGRldl9idXNfYWRkciBoYW5kbGluZyBp biBnbnRkZXZfbWFwX2dyYW50X3BhZ2VzKCkKCldlIG1heSBub3Qgc2tpcCBz ZXR0aW5nIHRoZSBmaWVsZCBpbiB0aGUgdW5tYXAgc3RydWN0dXJlIHdoZW4K R05UTUFQX2RldmljZV9tYXAgaXMgaW4gdXNlIC0gc3VjaCBhbiB1bm1hcCB3 b3VsZCBmYWlsIHRvIHJlbGVhc2UgdGhlCnJlc3BlY3RpdmUgcmVzb3VyY2Vz IChhIHBhZ2UgcmVmIGluIHRoZSBoeXBlcnZpc29yKS4gT3RvaCB0aGUgZmll bGQKZG9lc24ndCBuZWVkIHNldHRpbmcgYXQgYWxsIHdoZW4gR05UTUFQX2Rl dmljZV9tYXAgaXMgbm90IGluIHVzZS4KClRvIHJlY29yZCB0aGUgdmFsdWUg Zm9yIHVubWFwcGluZywgd2UgYWxzbyBiZXR0ZXIgZG9uJ3QgdXNlIG91ciBs b2NhbApwMm06IEluIHBhcnRpY3VsYXIgYWZ0ZXIgYSBzdWJzZXF1ZW50IGNo YW5nZSBpdCBtYXkgbm90IGhhdmUgZ290IHVwZGF0ZWQKZm9yIGFsbCB0aGUg YmF0Y2ggZWxlbWVudHMuIEluc3RlYWQgaXQgY2FuIHNpbXBseSBiZSB0YWtl biBmcm9tIHRoZQpyZXNwZWN0aXZlIG1hcCdzIHJlc3VsdHMuCgpXZSBjYW4g YWRkaXRpb25hbGx5IGF2b2lkIHBsYXlpbmcgdGhpcyBnYW1lIGFsdG9nZXRo ZXIgZm9yIHRoZSBrZXJuZWwKcGFydCBvZiB0aGUgbWFwcGluZ3MgaW4gKHg4 NikgUFYgbW9kZS4KClRoaXMgaXMgcGFydCBvZiBYU0EtMzYxLgoKU2lnbmVk LW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpDYzog c3RhYmxlQHZnZXIua2VybmVsLm9yZwpSZXZpZXdlZC1ieTogU3RlZmFubyBT dGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwub3JnPgotLS0KdjQ6IFNw bGl0IGZyb20gc3Vic2VxdWVudCBwYXRjaC4KCi0tLSBhL2RyaXZlcnMveGVu L2dudGRldi5jCisrKyBiL2RyaXZlcnMveGVuL2dudGRldi5jCkBAIC0zMDks MTggKzMwOSwyNSBAQCBpbnQgZ250ZGV2X21hcF9ncmFudF9wYWdlcyhzdHJ1 Y3QgZ250ZGV2CiAJCSAqIHRvIHRoZSBrZXJuZWwgbGluZWFyIGFkZHJlc3Nl cyBvZiB0aGUgc3RydWN0IHBhZ2VzLgogCQkgKiBUaGVzZSBwdGVzIGFyZSBj b21wbGV0ZWx5IGRpZmZlcmVudCBmcm9tIHRoZSB1c2VyIHB0ZXMgZGVhbHQK IAkJICogd2l0aCBmaW5kX2dyYW50X3B0ZXMuCisJCSAqIE5vdGUgdGhhdCBH TlRNQVBfZGV2aWNlX21hcCBpc24ndCBuZWVkZWQgaGVyZTogVGhlCisJCSAq IGRldl9idXNfYWRkciBvdXRwdXQgZmllbGQgZ2V0cyBjb25zdW1lZCBvbmx5 IGZyb20gLT5tYXBfb3BzLAorCQkgKiBhbmQgYnkgbm90IHJlcXVlc3Rpbmcg aXQgd2hlbiBtYXBwaW5nIHdlIGFsc28gYXZvaWQgbmVlZGluZworCQkgKiB0 byBtaXJyb3IgZGV2X2J1c19hZGRyIGludG8gLT51bm1hcF9vcHMgKGFuZCBo b2xkaW5nIGFuIGV4dHJhCisJCSAqIHJlZmVyZW5jZSB0byB0aGUgcGFnZSBp biB0aGUgaHlwZXJ2aXNvcikuCiAJCSAqLworCQl1bnNpZ25lZCBpbnQgZmxh Z3MgPSAobWFwLT5mbGFncyAmIH5HTlRNQVBfZGV2aWNlX21hcCkgfAorCQkJ CSAgICAgR05UTUFQX2hvc3RfbWFwOworCiAJCWZvciAoaSA9IDA7IGkgPCBt YXAtPmNvdW50OyBpKyspIHsKIAkJCXVuc2lnbmVkIGxvbmcgYWRkcmVzcyA9 ICh1bnNpZ25lZCBsb25nKQogCQkJCXBmbl90b19rYWRkcihwYWdlX3RvX3Bm bihtYXAtPnBhZ2VzW2ldKSk7CiAJCQlCVUdfT04oUGFnZUhpZ2hNZW0obWFw LT5wYWdlc1tpXSkpOwogCi0JCQlnbnR0YWJfc2V0X21hcF9vcCgmbWFwLT5r bWFwX29wc1tpXSwgYWRkcmVzcywKLQkJCQltYXAtPmZsYWdzIHwgR05UTUFQ X2hvc3RfbWFwLAorCQkJZ250dGFiX3NldF9tYXBfb3AoJm1hcC0+a21hcF9v cHNbaV0sIGFkZHJlc3MsIGZsYWdzLAogCQkJCW1hcC0+Z3JhbnRzW2ldLnJl ZiwKIAkJCQltYXAtPmdyYW50c1tpXS5kb21pZCk7CiAJCQlnbnR0YWJfc2V0 X3VubWFwX29wKCZtYXAtPmt1bm1hcF9vcHNbaV0sIGFkZHJlc3MsCi0JCQkJ bWFwLT5mbGFncyB8IEdOVE1BUF9ob3N0X21hcCwgLTEpOworCQkJCWZsYWdz LCAtMSk7CiAJCX0KIAl9CiAKQEAgLTMzNiwxNyArMzQzLDEyIEBAIGludCBn bnRkZXZfbWFwX2dyYW50X3BhZ2VzKHN0cnVjdCBnbnRkZXYKIAkJCWNvbnRp bnVlOwogCQl9CiAKKwkJaWYgKG1hcC0+ZmxhZ3MgJiBHTlRNQVBfZGV2aWNl X21hcCkKKwkJCW1hcC0+dW5tYXBfb3BzW2ldLmRldl9idXNfYWRkciA9IG1h cC0+bWFwX29wc1tpXS5kZXZfYnVzX2FkZHI7CisKIAkJbWFwLT51bm1hcF9v cHNbaV0uaGFuZGxlID0gbWFwLT5tYXBfb3BzW2ldLmhhbmRsZTsKIAkJaWYg KHVzZV9wdGVtb2QpCiAJCQltYXAtPmt1bm1hcF9vcHNbaV0uaGFuZGxlID0g bWFwLT5rbWFwX29wc1tpXS5oYW5kbGU7Ci0jaWZkZWYgQ09ORklHX1hFTl9H UkFOVF9ETUFfQUxMT0MKLQkJZWxzZSBpZiAobWFwLT5kbWFfdmFkZHIpIHsK LQkJCXVuc2lnbmVkIGxvbmcgYmZuOwotCi0JCQliZm4gPSBwZm5fdG9fYmZu KHBhZ2VfdG9fcGZuKG1hcC0+cGFnZXNbaV0pKTsKLQkJCW1hcC0+dW5tYXBf b3BzW2ldLmRldl9idXNfYWRkciA9IF9fcGZuX3RvX3BoeXMoYmZuKTsKLQkJ fQotI2VuZGlmCiAJfQogCXJldHVybiBlcnI7CiB9Cg== --=separator Content-Type: application/octet-stream; name="xsa361-linux-4.patch" Content-Disposition: attachment; filename="xsa361-linux-4.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiBYZW4vZ250ZGV2OiBjb3JyZWN0IGVycm9yIGNoZWNraW5nIGluIGdudGRl dl9tYXBfZ3JhbnRfcGFnZXMoKQoKRmFpbHVyZSBvZiB0aGUga2VybmVsIHBh cnQgb2YgdGhlIG1hcHBpbmcgb3BlcmF0aW9uIHNob3VsZCBhbHNvIGJlCmlu ZGljYXRlZCBhcyBhbiBlcnJvciB0byB0aGUgY2FsbGVyLCBvciBlbHNlIGl0 IG1heSBhc3N1bWUgdGhlCnJlc3BlY3RpdmUga2VybmVsIFZBIGlzIG9rYXkg dG8gYWNjZXNzLgoKRnVydGhlcm1vcmUgZ250dGFiX21hcF9yZWZzKCkgZmFp bGluZyBzdGlsbCByZXF1aXJlcyByZWNvcmRpbmcKc3VjY2Vzc2Z1bGx5IG1h cHBlZCBoYW5kbGVzLCBzbyB0aGV5IGNhbiBiZSB1bm1hcHBlZCBzdWJzZXF1 ZW50bHkuIFRoaXMKaW4gdHVybiByZXF1aXJlcyB0aGVyZSB0byBiZSBhIHdh eSB0byB0ZWxsIGZ1bGwgaHlwZXJjYWxsIGZhaWx1cmUgZnJvbQpwYXJ0aWFs IHN1Y2Nlc3MgLSBwcmVzZXQgbWFwX29wIHN0YXR1cyBmaWVsZHMgc3VjaCB0 aGF0IHRoZXkgd29uJ3QKImhhcHBlbiIgdG8gbG9vayBhcyBpZiB0aGUgb3Bl cmF0aW9uIHN1Y2NlZWRlZC4KCkFsc28gYWdhaW4gdXNlIEdOVFNUX29rYXkg aW5zdGVhZCBvZiBpbXBseWluZyBpdHMgdmFsdWUgKHplcm8pLgoKVGhpcyBp cyBwYXJ0IG9mIFhTQS0zNjEuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGlj aCA8amJldWxpY2hAc3VzZS5jb20+CkNjOiBzdGFibGVAdmdlci5rZXJuZWwu b3JnClJldmlld2VkLWJ5OiBKdWVyZ2VuIEdyb3NzIDxqZ3Jvc3NAc3VzZS5j b20+Ci0tLQp2NDogU3BsaXQgb3V0IHRoZSB2MyBjaGFuZ2VzIGFuZCByZS1i YXNlIG92ZXIgdGhlIHJlc3VsdGluZyBlYXJsaWVyCiAgICBwYXRjaC4KdjM6 IEFsc28gZml4IEdOVE1BUF9kZXZpY2VfbWFwIC8gLT5kZXZfYnVzX2FkZHIg aGFuZGxpbmcuCnYyOiBEcm9wIGFuIGluYXBwbGljYWJsZSBwYXJ0IG9mIHRo ZSBkZXNjcmlwdGlvbi4gVXNlIDEgaW5zdGVhZCBvZgogICAgX19MSU5FX18u CgotLS0gYS9kcml2ZXJzL3hlbi9nbnRkZXYuYworKysgYi9kcml2ZXJzL3hl bi9nbnRkZXYuYwpAQCAtMzM0LDIxICszMzQsMjIgQEAgaW50IGdudGRldl9t YXBfZ3JhbnRfcGFnZXMoc3RydWN0IGdudGRldgogCXByX2RlYnVnKCJtYXAg JWQrJWRcbiIsIG1hcC0+aW5kZXgsIG1hcC0+Y291bnQpOwogCWVyciA9IGdu dHRhYl9tYXBfcmVmcyhtYXAtPm1hcF9vcHMsIHVzZV9wdGVtb2QgPyBtYXAt PmttYXBfb3BzIDogTlVMTCwKIAkJCW1hcC0+cGFnZXMsIG1hcC0+Y291bnQp OwotCWlmIChlcnIpCi0JCXJldHVybiBlcnI7CiAKIAlmb3IgKGkgPSAwOyBp IDwgbWFwLT5jb3VudDsgaSsrKSB7Ci0JCWlmIChtYXAtPm1hcF9vcHNbaV0u c3RhdHVzKSB7CisJCWlmIChtYXAtPm1hcF9vcHNbaV0uc3RhdHVzID09IEdO VFNUX29rYXkpCisJCQltYXAtPnVubWFwX29wc1tpXS5oYW5kbGUgPSBtYXAt Pm1hcF9vcHNbaV0uaGFuZGxlOworCQllbHNlIGlmICghZXJyKQogCQkJZXJy ID0gLUVJTlZBTDsKLQkJCWNvbnRpbnVlOwotCQl9CiAKIAkJaWYgKG1hcC0+ ZmxhZ3MgJiBHTlRNQVBfZGV2aWNlX21hcCkKIAkJCW1hcC0+dW5tYXBfb3Bz W2ldLmRldl9idXNfYWRkciA9IG1hcC0+bWFwX29wc1tpXS5kZXZfYnVzX2Fk ZHI7CiAKLQkJbWFwLT51bm1hcF9vcHNbaV0uaGFuZGxlID0gbWFwLT5tYXBf b3BzW2ldLmhhbmRsZTsKLQkJaWYgKHVzZV9wdGVtb2QpCi0JCQltYXAtPmt1 bm1hcF9vcHNbaV0uaGFuZGxlID0gbWFwLT5rbWFwX29wc1tpXS5oYW5kbGU7 CisJCWlmICh1c2VfcHRlbW9kKSB7CisJCQlpZiAobWFwLT5rbWFwX29wc1tp XS5zdGF0dXMgPT0gR05UU1Rfb2theSkKKwkJCQltYXAtPmt1bm1hcF9vcHNb aV0uaGFuZGxlID0gbWFwLT5rbWFwX29wc1tpXS5oYW5kbGU7CisJCQllbHNl IGlmICghZXJyKQorCQkJCWVyciA9IC1FSU5WQUw7CisJCX0KIAl9CiAJcmV0 dXJuIGVycjsKIH0KLS0tIGEvaW5jbHVkZS94ZW4vZ3JhbnRfdGFibGUuaAor KysgYi9pbmNsdWRlL3hlbi9ncmFudF90YWJsZS5oCkBAIC0xNTcsNiArMTU3 LDcgQEAgZ250dGFiX3NldF9tYXBfb3Aoc3RydWN0IGdudHRhYl9tYXBfZ3Jh bgogCW1hcC0+ZmxhZ3MgPSBmbGFnczsKIAltYXAtPnJlZiA9IHJlZjsKIAlt YXAtPmRvbSA9IGRvbWlkOworCW1hcC0+c3RhdHVzID0gMTsgLyogYXJiaXRy YXJ5IHBvc2l0aXZlIHZhbHVlICovCiB9CiAKIHN0YXRpYyBpbmxpbmUgdm9p ZAo= --=separator Content-Type: application/octet-stream; name="xsa361-linux-5.patch" Content-Disposition: attachment; filename="xsa361-linux-5.patch" Content-Transfer-Encoding: base64 RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVmYW5vLnN0YWJlbGxpbmlA eGlsaW54LmNvbT4KU3ViamVjdDogeGVuL2FybTogZG9uJ3QgaWdub3JlIHJl dHVybiBlcnJvcnMgZnJvbSBzZXRfcGh5c190b19tYWNoaW5lCgpzZXRfcGh5 c190b19tYWNoaW5lIGNhbiBmYWlsIGR1ZSB0byBsYWNrIG9mIG1lbW9yeSwg c2VlIHRoZSBremFsbG9jIGNhbGwKaW4gYXJjaC9hcm0veGVuL3AybS5jOl9f c2V0X3BoeXNfdG9fbWFjaGluZV9tdWx0aS4KCkRvbid0IGlnbm9yZSB0aGUg cG90ZW50aWFsIHJldHVybiBlcnJvciBpbiBzZXRfZm9yZWlnbl9wMm1fbWFw cGluZywKcmV0dXJuaW5nIGl0IHRvIHRoZSBjYWxsZXIgaW5zdGVhZC4KClRo aXMgaXMgcGFydCBvZiBYU0EtMzYxLgoKU2lnbmVkLW9mZi1ieTogU3RlZmFu byBTdGFiZWxsaW5pIDxzdGVmYW5vLnN0YWJlbGxpbmlAeGlsaW54LmNvbT4K Q2M6IHN0YWJsZUB2Z2VyLmtlcm5lbC5vcmcKUmV2aWV3ZWQtYnk6IEp1bGll biBHcmFsbCA8amdyYWxsQGFtYXpvbi5jb20+CgotLS0gYS9hcmNoL2FybS94 ZW4vcDJtLmMKKysrIGIvYXJjaC9hcm0veGVuL3AybS5jCkBAIC05NSw4ICs5 NSwxMCBAQCBpbnQgc2V0X2ZvcmVpZ25fcDJtX21hcHBpbmcoc3RydWN0IGdu dHRhYl9tYXBfZ3JhbnRfcmVmICptYXBfb3BzLAogCWZvciAoaSA9IDA7IGkg PCBjb3VudDsgaSsrKSB7CiAJCWlmIChtYXBfb3BzW2ldLnN0YXR1cykKIAkJ CWNvbnRpbnVlOwotCQlzZXRfcGh5c190b19tYWNoaW5lKG1hcF9vcHNbaV0u aG9zdF9hZGRyID4+IFhFTl9QQUdFX1NISUZULAotCQkJCSAgICBtYXBfb3Bz W2ldLmRldl9idXNfYWRkciA+PiBYRU5fUEFHRV9TSElGVCk7CisJCWlmICh1 bmxpa2VseSghc2V0X3BoeXNfdG9fbWFjaGluZShtYXBfb3BzW2ldLmhvc3Rf YWRkciA+PiBYRU5fUEFHRV9TSElGVCwKKwkJCQkgICAgbWFwX29wc1tpXS5k ZXZfYnVzX2FkZHIgPj4gWEVOX1BBR0VfU0hJRlQpKSkgeworCQkJcmV0dXJu IC1FTk9NRU07CisJCX0KIAl9CiAKIAlyZXR1cm4gMDsKCg== --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Feb 16 12:36:12 2021 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Feb 2021 12:36:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.85537.160484 (Exim 4.92) (envelope-from ) id 1lBzaG-0002KF-M4; Tue, 16 Feb 2021 12:36:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 85537.160484; Tue, 16 Feb 2021 12:36:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBzaG-0002K4-Fu; Tue, 16 Feb 2021 12:36:04 +0000 Received: by outflank-mailman (input) for mailman id 85537; Tue, 16 Feb 2021 12:36:03 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBzaF-0001zb-4r for xen-announce@lists.xen.org; Tue, 16 Feb 2021 12:36:03 +0000 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id d9ef4170-2346-4d91-8c5f-8c90166e5d6e; Tue, 16 Feb 2021 12:35:36 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBzZj-0008N9-FT; Tue, 16 Feb 2021 12:35:31 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1lBzZj-0002cK-EW; Tue, 16 Feb 2021 12:35:31 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: d9ef4170-2346-4d91-8c5f-8c90166e5d6e DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:CC:From:To:MIME-Version: Content-Transfer-Encoding:Content-Type; bh=IHjlcNqY9zVQG6xPpJPwS1esZBtm3kl4cjbgTTWsTRU=; b=Ww+Gi67omVf9Ru77k14K1xTV/Z h3mTaS7e/r1khuCnYVxpZuOomlXQz+ykuTN4mO1X4xfDDy1ChAc4a4lwU0tVy4yIifF0tXvA7LxU7 /9uRxUDcrduK7p9U1CnLG9275u2h31jacTH0Yh+J7ZERTlYM9RfSGhAXQpMg7WMtrb+0=; Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 364 v3 (CVE-2021-26933) - arm: The cache may not be cleaned for newly allocated scrubbed pages Message-Id: Date: Tue, 16 Feb 2021 12:35:31 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2021-26933 / XSA-364 version 3 arm: The cache may not be cleaned for newly allocated scrubbed pages UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= On Arm, a guest is allowed to control whether memory access bypass the cache. This means that Xen needs to ensure that all writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately the operation to clean the cache happens before checking if the page was scrubbed. Therefore there is no guarantee when all the writes will reach the memory. IMPACT ====== A malicious guest may be able to read sensitive data from memory that previously belonged to another guest. VULNERABLE SYSTEMS ================== Xen version 4.9 onwards are vulnerable. Only Arm systems are vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Julien Grall of Amazon. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa364.patch xen-unstable - 4.11 $ sha256sum xsa364* c9dcb3052bb6ca4001e02b3ad889c70b4eebf1931bef83dfb7de86452851f3c8 xsa364.meta dc313c70bb07b4096bbc4612cbbc180589923277411dede2fda37f04ecc846d6 xsa364.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAru/UMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZT0UH/0Lzw4sShqmyO06n0HWcXyzXKx7Qh67tjBglmB0D XHKrlTKR0Cs1S2NR3GCSZCSPNKXcXU689qEXlvK07EpheO/xCUgpZNkt/Eab/JFK NngYbuev1z6+bGeCi70b6RItCXoWiwDWEJqLlLKROwBXMZaodwgjY7/o3GR2D8ZV Qyz2EcAdJUIYmMsLC3hJ7gTLXvdySp+0lZ9oO6qe4YYQ3CIwPJnlflWFTzcASfML D9lMVG6u6ratiqt4N1egE0gxBe3/QP8KoptSqiV+MDdwPnsK009g/G+0Ea430ZEh lviVSgCxhdELx2Tv+Q7qSSbnfMSdnibSHAxipcbyhvjiEJU= =mHyv -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa364.meta" Content-Disposition: attachment; filename="xsa364.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAzNjQsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xNCIsCiAgICAiNC4xMyIsCiAgICAiNC4xMiIs CiAgICAiNC4xMSIKICBdLAogICJUcmVlcyI6IFsKICAgICJ4ZW4iCiAgXSwK ICAiUmVjaXBlcyI6IHsKICAgICI0LjExIjogewogICAgICAiUmVjaXBlcyI6 IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6ICIz MTBhYjc5ODc1Y2I3MDVjYzJjN2RhZGRmZjQxMmI1YTQ4OTlmOGM5IiwKICAg ICAgICAgICJQcmVyZXFzIjogW10sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsK ICAgICAgICAgICAgInhzYTM2NC5wYXRjaCIKICAgICAgICAgIF0KICAgICAg ICB9CiAgICAgIH0KICAgIH0sCiAgICAiNC4xMiI6IHsKICAgICAgIlJlY2lw ZXMiOiB7CiAgICAgICAgInhlbiI6IHsKICAgICAgICAgICJTdGFibGVSZWYi OiAiY2NlN2NiZDk4NmMxMjJhODY1ODJmZjM3NzViNmI1NTlkODc3NDA3YyIs CiAgICAgICAgICAiUHJlcmVxcyI6IFtdLAogICAgICAgICAgIlBhdGNoZXMi OiBbCiAgICAgICAgICAgICJ4c2EzNjQucGF0Y2giCiAgICAgICAgICBdCiAg ICAgICAgfQogICAgICB9CiAgICB9LAogICAgIjQuMTMiOiB7CiAgICAgICJS ZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxl UmVmIjogImU0MTYxOTM4YjMxNWYzYjljNmExM2FkZTMwZDE2YzExNTA0YTJk MTYiLAogICAgICAgICAgIlByZXJlcXMiOiBbXSwKICAgICAgICAgICJQYXRj aGVzIjogWwogICAgICAgICAgICAieHNhMzY0LnBhdGNoIgogICAgICAgICAg XQogICAgICAgIH0KICAgICAgfQogICAgfSwKICAgICI0LjE0IjogewogICAg ICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0 YWJsZVJlZiI6ICI0MTcwMjE4Y2I5NjU0NjQyNjY2NGU1YzFkMDBjNWE4NDhh MjZhZTllIiwKICAgICAgICAgICJQcmVyZXFzIjogW10sCiAgICAgICAgICAi UGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTM2NC5wYXRjaCIKICAgICAg ICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAgICAibWFzdGVyIjog ewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAgICAg ICAgIlN0YWJsZVJlZiI6ICI1ZTdhYTkwNDQwNWZhMmYyNjhjM2FmMjEzNTE2 YmFlMjcxZGUzMjY1IiwKICAgICAgICAgICJQcmVyZXFzIjogW10sCiAgICAg ICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTM2NC5wYXRjaCIK ICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0KICB9Cn0K --=separator Content-Type: application/octet-stream; name="xsa364.patch" Content-Disposition: attachment; filename="xsa364.patch" Content-Transfer-Encoding: base64 RnJvbSBkYWRiNWI0YjIxYzkwNGNlNTkwMjRjNjg2ZWIxYzU1YmU4ZjQ2YzUy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKdWxpZW4gR3JhbGwg PGpncmFsbEBhbWF6b24uY29tPgpEYXRlOiBUaHUsIDIxIEphbiAyMDIxIDEw OjE2OjA4ICswMDAwClN1YmplY3Q6IFtQQVRDSF0geGVuL3BhZ2VfYWxsb2M6 IE9ubHkgZmx1c2ggdGhlIHBhZ2UgdG8gUkFNIG9uY2Ugd2Uga25vdyB0aGV5 CiBhcmUgc2NydWJiZWQKCkF0IHRoZSBtb21lbnQsIGVhY2ggcGFnZSBhcmUg Zmx1c2hlZCB0byBSQU0ganVzdCBhZnRlciB0aGUgYWxsb2NhdG9yCmZvdW5k IHNvbWUgZnJlZSBwYWdlcy4gSG93ZXZlciwgdGhpcyBpcyBoYXBwZW5pbmcg YmVmb3JlIGNoZWNrIGlmIHRoZQpwYWdlIHdhcyBzY3J1YmJlZC4KCkFzIGEg Y29uc2VxdWVuY2UsIG9uIEFybSwgYSBndWVzdCBtYXkgYmUgYWJsZSB0byBh Y2Nlc3MgdGhlIG9sZCBjb250ZW50Cm9mIHRoZSBzY3J1YmJlZCBwYWdlcyBp ZiBpdCBoYXMgY2FjaGUgZGlzYWJsZWQgKGRlZmF1bHQgYXQgYm9vdCkgYW5k CnRoZSBjb250ZW50IGRpZG4ndCByZWFjaCB0aGUgUG9pbnQgb2YgQ29oZXJl bmN5LgoKVGhlIGZsdXNoIGlzIG5vdyBtb3ZlZCBhZnRlciB3ZSBrbm93IHRo ZSBjb250ZW50IG9mIHRoZSBwYWdlIHdpbGwgbm90CmNoYW5nZS4gVGhpcyBh bHNvIGhhcyB0aGUgYmVuZWZpdCB0byByZWR1Y2UgdGhlIGFtb3VudCBvZiB3 b3JrIGhhcHBlbmluZwp3aXRoIHRoZSBoZWFwX2xvY2sgaGVsZC4KClRoaXMg aXMgWFNBLTM2NC4KCkZpeGVzOiAzMDdjM2JlM2NjYjIgKCJtbTogRG9uJ3Qg c2NydWIgcGFnZXMgd2hpbGUgaG9sZGluZyBoZWFwIGxvY2sgaW4gYWxsb2Nf aGVhcF9wYWdlcygpIikKU2lnbmVkLW9mZi1ieTogSnVsaWVuIEdyYWxsIDxq Z3JhbGxAYW1hem9uLmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxq YmV1bGljaEBzdXNlLmNvbT4KLS0tCiB4ZW4vY29tbW9uL3BhZ2VfYWxsb2Mu YyB8IDE0ICsrKysrKysrKy0tLS0tCiAxIGZpbGUgY2hhbmdlZCwgOSBpbnNl cnRpb25zKCspLCA1IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL3hlbi9j b21tb24vcGFnZV9hbGxvYy5jIGIveGVuL2NvbW1vbi9wYWdlX2FsbG9jLmMK aW5kZXggMDJhYzFmYTYxM2U3Li4xNzQ0ZTZmYWE1YzQgMTAwNjQ0Ci0tLSBh L3hlbi9jb21tb24vcGFnZV9hbGxvYy5jCisrKyBiL3hlbi9jb21tb24vcGFn ZV9hbGxvYy5jCkBAIC05MjQsNiArOTI0LDcgQEAgc3RhdGljIHN0cnVjdCBw YWdlX2luZm8gKmFsbG9jX2hlYXBfcGFnZXMoCiAgICAgYm9vbCBuZWVkX3Rs YmZsdXNoID0gZmFsc2U7CiAgICAgdWludDMyX3QgdGxiZmx1c2hfdGltZXN0 YW1wID0gMDsKICAgICB1bnNpZ25lZCBpbnQgZGlydHlfY250ID0gMDsKKyAg ICBtZm5fdCBtZm47CiAKICAgICAvKiBNYWtlIHN1cmUgdGhlcmUgYXJlIGVu b3VnaCBiaXRzIGluIG1lbWZsYWdzIGZvciBub2RlSUQuICovCiAgICAgQlVJ TERfQlVHX09OKChfTUVNRl9iaXRzIC0gX01FTUZfbm9kZSkgPCAoOCAqIHNp emVvZihub2RlaWRfdCkpKTsKQEAgLTEwMjIsMTEgKzEwMjMsNiBAQCBzdGF0 aWMgc3RydWN0IHBhZ2VfaW5mbyAqYWxsb2NfaGVhcF9wYWdlcygKICAgICAg ICAgcGdbaV0udS5pbnVzZS50eXBlX2luZm8gPSAwOwogICAgICAgICBwYWdl X3NldF9vd25lcigmcGdbaV0sIE5VTEwpOwogCi0gICAgICAgIC8qIEVuc3Vy ZSBjYWNoZSBhbmQgUkFNIGFyZSBjb25zaXN0ZW50IGZvciBwbGF0Zm9ybXMg d2hlcmUgdGhlCi0gICAgICAgICAqIGd1ZXN0IGNhbiBjb250cm9sIGl0cyBv d24gdmlzaWJpbGl0eSBvZi90aHJvdWdoIHRoZSBjYWNoZS4KLSAgICAgICAg ICovCi0gICAgICAgIGZsdXNoX3BhZ2VfdG9fcmFtKG1mbl94KHBhZ2VfdG9f bWZuKCZwZ1tpXSkpLAotICAgICAgICAgICAgICAgICAgICAgICAgICAhKG1l bWZsYWdzICYgTUVNRl9ub19pY2FjaGVfZmx1c2gpKTsKICAgICB9CiAKICAg ICBzcGluX3VubG9jaygmaGVhcF9sb2NrKTsKQEAgLTEwNjIsNiArMTA1OCwx NCBAQCBzdGF0aWMgc3RydWN0IHBhZ2VfaW5mbyAqYWxsb2NfaGVhcF9wYWdl cygKICAgICBpZiAoIG5lZWRfdGxiZmx1c2ggKQogICAgICAgICBmaWx0ZXJl ZF9mbHVzaF90bGJfbWFzayh0bGJmbHVzaF90aW1lc3RhbXApOwogCisgICAg LyoKKyAgICAgKiBFbnN1cmUgY2FjaGUgYW5kIFJBTSBhcmUgY29uc2lzdGVu dCBmb3IgcGxhdGZvcm1zIHdoZXJlIHRoZSBndWVzdAorICAgICAqIGNhbiBj b250cm9sIGl0cyBvd24gdmlzaWJpbGl0eSBvZi90aHJvdWdoIHRoZSBjYWNo ZS4KKyAgICAgKi8KKyAgICBtZm4gPSBwYWdlX3RvX21mbihwZyk7CisgICAg Zm9yICggaSA9IDA7IGkgPCAoMVUgPDwgb3JkZXIpOyBpKysgKQorICAgICAg ICBmbHVzaF9wYWdlX3RvX3JhbShtZm5feChtZm4pICsgaSwgIShtZW1mbGFn cyAmIE1FTUZfbm9faWNhY2hlX2ZsdXNoKSk7CisKICAgICByZXR1cm4gcGc7 CiB9CiAKLS0gCjIuMTcuMQoK --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Feb 16 12:39:53 2021 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Feb 2021 12:39:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.85675.160604 (Exim 4.92) (envelope-from ) id 1lBzdb-0004hA-LP; Tue, 16 Feb 2021 12:39:31 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 85675.160604; Tue, 16 Feb 2021 12:39:31 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBzdb-0004h0-HS; Tue, 16 Feb 2021 12:39:31 +0000 Received: by outflank-mailman (input) for mailman id 85675; Tue, 16 Feb 2021 12:39:30 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBzag-0001zG-RL for xen-announce@lists.xen.org; Tue, 16 Feb 2021 12:36:30 +0000 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 058e238a-214d-4b02-9732-042ee8802a6c; Tue, 16 Feb 2021 12:35:35 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lBzZi-0008Mp-47; Tue, 16 Feb 2021 12:35:30 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1lBzZi-0002aT-2R; Tue, 16 Feb 2021 12:35:30 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: 058e238a-214d-4b02-9732-042ee8802a6c DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:CC:From:To:MIME-Version: Content-Transfer-Encoding:Content-Type; bh=lZWifSAdWtqIapxaF/ABMz5U1NS2kxDVUZoclZKPguo=; b=3nniZQLh/q0JG34VPD0xs4VeUH HRegZFYig+FQgXOTHx7CBcDBYFzPhSB9NE/4qvF9EaEZzkFN4C7HWi+Ijs4luDq/2w1LavEck4otJ K5LTGecfopcu3c7q8XREM2KCw7iwukc1ZQArBpWjLiqQSujSvRNvJ+g9EccWSLbSk00g=; Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 362 v3 (CVE-2021-26931) - Linux: backends treating grant mapping errors as bugs Message-Id: Date: Tue, 16 Feb 2021 12:35:30 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2021-26931 / XSA-362 version 3 Linux: backends treating grant mapping errors as bugs UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least under the influence of guests, like out of memory conditions, it isn't correct to assume so. Memory allocations potentially causing such crashes occur only when Linux is running in PV mode, though. IMPACT ====== A malicious or buggy frontend driver may be able to crash the corresponding backend driver, potentially affecting the entire domain running the backend driver. VULNERABLE SYSTEMS ================== Linux versions from at least 2.6.39 onwards are vulnerable, when run in PV mode. Earlier versions differ significantly in behavior and may therefore instead surface other issues under the same conditions. Linux run in HVM / PVH modes is not vulnerable. MITIGATION ========== For Linux, running the backends in HVM or PVH domains will avoid the vulnerability. For protocols where non-Linux-kernel based backends are available, reconfiguring guests to use alternative (e.g. qemu-based) backends may allow to avoid the vulnerability. In all other cases there is no known mitigation. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patches resolves this issue. Applying the attached patches resolves this issue. xsa362-linux-1.patch Linux 5.11-rc - 5.10 xsa362-linux-2.patch Linux 5.11-rc - 3.16 xsa362-linux-3.patch Linux 5.11-rc - 4.1 $ sha256sum xsa362* d64334807f16ff9909503b3cc9b8b93fd42d2c36e1fb0e508b89a765a53071a8 xsa362-linux-1.patch b6d02952e7fbede55b868cb2dc4d8853284996883dc72518a0cd5b14d6c7fdd4 xsa362-linux-2.patch 0a2661380d8f786fefe12e5a8b1528d4a79f1ad058c26b417c52449a7e16a302 xsa362-linux-3.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. Deployment of the mitigation to switch to HVM / PVH backend domains is also permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. HOWEVER, deployment of the non-kernel-based backends mitigation described above is NOT permitted during the embargo on public-facing systems with untrusted guest users and administrators. This is because such a configuration change may be recognizable by the affected guests. AND: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAru/UMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZszQH/jwCgehGBbejtpFjiOqEPdqIQhd0X+Q1feFD9PB6 07gfGanmSds5mitr0ezTHbfLw85CoFbAJhalNdx9XeQrZTIvRAizkCi779rE9UYZ H0CN73GoObF4E8q+tVRpZni0Rcnb77bETRsmlYjRYRjtZNZ1+7vbn4tf4JMccoo0 qhz1/bqY3e4yHPcdxb9P3T/DQKNG+nJjkn4kNueYo1PUGUetxw6HXbXWHh6WvbOr mfd+sTxRSf+Nk2OZhtofjIYEIeL058axZoSuARBIPphBmOCumUTGzrypZwe5BTuF GMQqlguxPU0rFscGd/Js05suFhQQR4ccJlSGRs7pswt9i0M= =KnG3 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa362-linux-1.patch" Content-Disposition: attachment; filename="xsa362-linux-1.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW4tYmxrYmFjazogZG9uJ3QgImhhbmRsZSIgZXJyb3IgYnkgQlVHKCkK CkluIHBhcnRpY3VsYXIgLUVOT01FTSBtYXkgY29tZSBiYWNrIGhlcmUsIGZy b20gc2V0X2ZvcmVpZ25fcDJtX21hcHBpbmcoKS4KRG9uJ3QgbWFrZSBwcm9i bGVtcyB3b3JzZSwgdGhlIG1vcmUgdGhhdCBoYW5kbGluZyBlbHNld2hlcmUg KHRvZ2V0aGVyCndpdGggbWFwJ3Mgc3RhdHVzIGZpZWxkcyBub3cgaW5kaWNh dGluZyB3aGV0aGVyIGEgbWFwcGluZyB3YXNuJ3QgZXZlbgphdHRlbXB0ZWQs IGFuZCBoZW5jZSBoYXMgdG8gYmUgY29uc2lkZXJlZCBmYWlsZWQpIGRvZXNu J3QgcmVxdWlyZSB0aGlzCm9kZCB3YXkgb2YgZGVhbGluZyB3aXRoIGVycm9y cy4KClRoaXMgaXMgcGFydCBvZiBYU0EtMzYyLgoKU2lnbmVkLW9mZi1ieTog SmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpDYzogc3RhYmxlQHZn ZXIua2VybmVsLm9yZwpSZXZpZXdlZC1ieTogSnVlcmdlbiBHcm9zcyA8amdy b3NzQHN1c2UuY29tPgoKLS0tIGEvZHJpdmVycy9ibG9jay94ZW4tYmxrYmFj ay9ibGtiYWNrLmMKKysrIGIvZHJpdmVycy9ibG9jay94ZW4tYmxrYmFjay9i bGtiYWNrLmMKQEAgLTgxMSwxMCArODExLDggQEAgYWdhaW46CiAJCQlicmVh azsKIAl9CiAKLQlpZiAoc2Vnc190b19tYXApIHsKKwlpZiAoc2Vnc190b19t YXApCiAJCXJldCA9IGdudHRhYl9tYXBfcmVmcyhtYXAsIE5VTEwsIHBhZ2Vz X3RvX2dudCwgc2Vnc190b19tYXApOwotCQlCVUdfT04ocmV0KTsKLQl9CiAK IAkvKgogCSAqIE5vdyBzd2l6emxlIHRoZSBNRk4gaW4gb3VyIGRvbWFpbiB3 aXRoIHRoZSBNRk4gZnJvbSB0aGUgb3RoZXIgZG9tYWluCkBAIC04MzAsNyAr ODI4LDcgQEAgYWdhaW46CiAJCQkJZ250dGFiX3BhZ2VfY2FjaGVfcHV0KCZy aW5nLT5mcmVlX3BhZ2VzLAogCQkJCQkJICAgICAgJnBhZ2VzW3NlZ19pZHhd LT5wYWdlLCAxKTsKIAkJCQlwYWdlc1tzZWdfaWR4XS0+aGFuZGxlID0gQkxL QkFDS19JTlZBTElEX0hBTkRMRTsKLQkJCQlyZXQgfD0gMTsKKwkJCQlyZXQg fD0gIXJldDsKIAkJCQlnb3RvIG5leHQ7CiAJCQl9CiAJCQlwYWdlc1tzZWdf aWR4XS0+aGFuZGxlID0gbWFwW25ld19tYXBfaWR4XS5oYW5kbGU7Cg== --=separator Content-Type: application/octet-stream; name="xsa362-linux-2.patch" Content-Disposition: attachment; filename="xsa362-linux-2.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW4tbmV0YmFjazogZG9uJ3QgImhhbmRsZSIgZXJyb3IgYnkgQlVHKCkK CkluIHBhcnRpY3VsYXIgLUVOT01FTSBtYXkgY29tZSBiYWNrIGhlcmUsIGZy b20gc2V0X2ZvcmVpZ25fcDJtX21hcHBpbmcoKS4KRG9uJ3QgbWFrZSBwcm9i bGVtcyB3b3JzZSwgdGhlIG1vcmUgdGhhdCBoYW5kbGluZyBlbHNld2hlcmUg KHRvZ2V0aGVyCndpdGggbWFwJ3Mgc3RhdHVzIGZpZWxkcyBub3cgaW5kaWNh dGluZyB3aGV0aGVyIGEgbWFwcGluZyB3YXNuJ3QgZXZlbgphdHRlbXB0ZWQs IGFuZCBoZW5jZSBoYXMgdG8gYmUgY29uc2lkZXJlZCBmYWlsZWQpIGRvZXNu J3QgcmVxdWlyZSB0aGlzCm9kZCB3YXkgb2YgZGVhbGluZyB3aXRoIGVycm9y cy4KClRoaXMgaXMgcGFydCBvZiBYU0EtMzYyLgoKU2lnbmVkLW9mZi1ieTog SmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpDYzogc3RhYmxlQHZn ZXIua2VybmVsLm9yZwpSZXZpZXdlZC1ieTogSnVlcmdlbiBHcm9zcyA8amdy b3NzQHN1c2UuY29tPgoKLS0tIGEvZHJpdmVycy9uZXQveGVuLW5ldGJhY2sv bmV0YmFjay5jCisrKyBiL2RyaXZlcnMvbmV0L3hlbi1uZXRiYWNrL25ldGJh Y2suYwpAQCAtMTM0MiwxMyArMTM0MiwxMSBAQCBpbnQgeGVudmlmX3R4X2Fj dGlvbihzdHJ1Y3QgeGVudmlmX3F1ZXVlCiAJCXJldHVybiAwOwogCiAJZ250 dGFiX2JhdGNoX2NvcHkocXVldWUtPnR4X2NvcHlfb3BzLCBucl9jb3BzKTsK LQlpZiAobnJfbW9wcyAhPSAwKSB7CisJaWYgKG5yX21vcHMgIT0gMCkKIAkJ cmV0ID0gZ250dGFiX21hcF9yZWZzKHF1ZXVlLT50eF9tYXBfb3BzLAogCQkJ CSAgICAgIE5VTEwsCiAJCQkJICAgICAgcXVldWUtPnBhZ2VzX3RvX21hcCwK IAkJCQkgICAgICBucl9tb3BzKTsKLQkJQlVHX09OKHJldCk7Ci0JfQogCiAJ d29ya19kb25lID0geGVudmlmX3R4X3N1Ym1pdChxdWV1ZSk7CiAK --=separator Content-Type: application/octet-stream; name="xsa362-linux-3.patch" Content-Disposition: attachment; filename="xsa362-linux-3.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW4tc2NzaWJhY2s6IGRvbid0ICJoYW5kbGUiIGVycm9yIGJ5IEJVRygp CgpJbiBwYXJ0aWN1bGFyIC1FTk9NRU0gbWF5IGNvbWUgYmFjayBoZXJlLCBm cm9tIHNldF9mb3JlaWduX3AybV9tYXBwaW5nKCkuCkRvbid0IG1ha2UgcHJv YmxlbXMgd29yc2UsIHRoZSBtb3JlIHRoYXQgaGFuZGxpbmcgZWxzZXdoZXJl ICh0b2dldGhlcgp3aXRoIG1hcCdzIHN0YXR1cyBmaWVsZHMgbm93IGluZGlj YXRpbmcgd2hldGhlciBhIG1hcHBpbmcgd2Fzbid0IGV2ZW4KYXR0ZW1wdGVk LCBhbmQgaGVuY2UgaGFzIHRvIGJlIGNvbnNpZGVyZWQgZmFpbGVkKSBkb2Vz bid0IHJlcXVpcmUgdGhpcwpvZGQgd2F5IG9mIGRlYWxpbmcgd2l0aCBlcnJv cnMuCgpUaGlzIGlzIHBhcnQgb2YgWFNBLTM2Mi4KClNpZ25lZC1vZmYtYnk6 IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KQ2M6IHN0YWJsZUB2 Z2VyLmtlcm5lbC5vcmcKUmV2aWV3ZWQtYnk6IEp1ZXJnZW4gR3Jvc3MgPGpn cm9zc0BzdXNlLmNvbT4KCi0tLSBhL2RyaXZlcnMveGVuL3hlbi1zY3NpYmFj ay5jCisrKyBiL2RyaXZlcnMveGVuL3hlbi1zY3NpYmFjay5jCkBAIC0zODYs MTIgKzM4NiwxMiBAQCBzdGF0aWMgaW50IHNjc2liYWNrX2dudHRhYl9kYXRh X21hcF9iYXRjCiAJCXJldHVybiAwOwogCiAJZXJyID0gZ250dGFiX21hcF9y ZWZzKG1hcCwgTlVMTCwgcGcsIGNudCk7Ci0JQlVHX09OKGVycik7CiAJZm9y IChpID0gMDsgaSA8IGNudDsgaSsrKSB7CiAJCWlmICh1bmxpa2VseShtYXBb aV0uc3RhdHVzICE9IEdOVFNUX29rYXkpKSB7CiAJCQlwcl9lcnIoImludmFs aWQgYnVmZmVyIC0tIGNvdWxkIG5vdCByZW1hcCBpdFxuIik7CiAJCQltYXBb aV0uaGFuZGxlID0gU0NTSUJBQ0tfSU5WQUxJRF9IQU5ETEU7Ci0JCQllcnIg PSAtRU5PTUVNOworCQkJaWYgKCFlcnIpCisJCQkJZXJyID0gLUVOT01FTTsK IAkJfSBlbHNlIHsKIAkJCWdldF9wYWdlKHBnW2ldKTsKIAkJfQo= --=separator-- From xen-announce-bounces@lists.xenproject.org Thu Feb 18 11:48:02 2021 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Feb 2021 11:48:02 +0000 Received: from list by lists.xenproject.org with outflank-mailman.86552.162691 (Exim 4.92) (envelope-from ) id 1lChmV-0000Tu-JK; Thu, 18 Feb 2021 11:47:39 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 86552.162691; Thu, 18 Feb 2021 11:47:39 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lChmV-0000Tm-F3; Thu, 18 Feb 2021 11:47:39 +0000 Received: by outflank-mailman (input) for mailman id 86552; Thu, 18 Feb 2021 11:47:37 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lChmT-0000Mp-Cl for xen-announce@lists.xen.org; Thu, 18 Feb 2021 11:47:37 +0000 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 98c26d30-926e-4a86-8b2e-550b9188d054; Thu, 18 Feb 2021 11:47:21 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lChm8-0004oj-9n; Thu, 18 Feb 2021 11:47:16 +0000 Received: from gdunlap by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1lChm8-0008V9-8E; Thu, 18 Feb 2021 11:47:16 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: 98c26d30-926e-4a86-8b2e-550b9188d054 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:CC:From:To:MIME-Version: Content-Transfer-Encoding:Content-Type; bh=qAwJ86xNj6iy18bFGlL0Zzk4WSB6wYKH7ThjA2nJMbc=; b=bcGgWZH0tqptJxUlJZbVCtjYcp LFW4FUt251tKzjm4otY0GBQoMCyB8XyeeY6drDkaC+tshsCnldctbYVNIh9loeP0DKpWCDANAOodX G0/IwRq008RCT+2y99kvrhTMeWI2hWWfildC8sQFJigWFEOPpQoZPIOGc06X1dkvPXD8=; Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 366 v1 - missed flush in XSA-321 backport Message-Id: Date: Thu, 18 Feb 2021 11:47:16 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-366 missed flush in XSA-321 backport ISSUE DESCRIPTION ================= An oversight was made when backporting XSA-320, leading entries in the IOMMU not being properly updated under certain circumstances. IMPACT ====== A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== Xen versions up to 4.11, from at least 3.2 onwards, are affected. Xen versions 4.12 and newer are not affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible. MITIGATION ========== Suppressing the use of page table sharing will avoid the vulnerability (command line option "iommu=no-sharept"). Suppressing the use of large HAP pages will avoid the vulnerability (command line options "hap_2mb=no hap_1gb=no"). Not passing through PCI devices to HVM guests will avoid the vulnerability. CREDITS ======= This issue was reported as a bug by M. Vefa Bicakci, and recognized as a security issue by Roger Pau Monne of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa366-4.11.patch Xen 4.11.x $ sha256sum xsa366* 3131c9487b9446655e2e21df4ccf1e003bec471881396d7b2b1a0939f5cbae96 xsa366.meta 8c8c18ca8425e6167535c3cf774ffeb9dcb4572e81c8d2ff4a73fefede2d4d94 xsa366-4.11.patch $ NOTE REGARDING LACK OF EMBARGO ============================== This was reported and debugged publicly, before the security implications were apparent. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAuU5EMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZMCkIAKq1dU6xOMN3lFqY6LeIV+Pn+JQDvJKhDT+lJT9b KAP+a44ks5bHHSD6CPyiq5boU5APE7yqiyJnXBycXVDLH6GGjh7uBvc6A00YkeHU y08l8jxa6/FAyrvCj5P0pYItALwH0NZDtfUE57ueloYUu3KJnyBRtl9icvx/sCa9 CUkpKDpS0te+Rk+G57UPDjGvSPwpIh01vphJ5tyf+2Lrk8rsHTJYWQ7eD8A09jCr DtSD6FylzEuGGY30vPGLUzXgOm8Nji/WgnXnmmbILCEo8PQs3CcoxN53/F8cYvr6 NRERHKZFhHoLmUUCImoFcApxzzdt11USDnCdEXiAkrEOYsk= =w9OA -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa366.meta" Content-Disposition: attachment; filename="xsa366.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAzNjYsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg IjQuMTEiCiAgXSwKICAiVHJlZXMiOiBbCiAgICAieGVuIgogIF0sCiAgIlJl Y2lwZXMiOiB7CiAgICAiNC4xMSI6IHsKICAgICAgIlJlY2lwZXMiOiB7CiAg ICAgICAgInhlbiI6IHsKICAgICAgICAgICJTdGFibGVSZWYiOiAiODBjYWQ1 ODRmYjRjMjU5OWFlMTc0MjI2ZTJjOTEzYmIyM2RmM2JmYSIsCiAgICAgICAg ICAiUHJlcmVxcyI6IFtdLAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAg ICAgICAgICJ4c2EzNjYtNC4xMS5wYXRjaCIKICAgICAgICAgIF0KICAgICAg ICB9CiAgICAgIH0KICAgIH0KICB9Cn0= --=separator Content-Type: application/octet-stream; name="xsa366-4.11.patch" Content-Disposition: attachment; filename="xsa366-4.11.patch" Content-Transfer-Encoding: base64 RnJvbTogUm9nZXIgUGF1IE1vbm5lIDxyb2dlci5wYXVAY2l0cml4LmNvbT4K U3ViamVjdDogeDg2L2VwdDogZml4IG1pc3NpbmcgSU9NTVUgZmx1c2ggaW4g YXRvbWljX3dyaXRlX2VwdF9lbnRyeQoKQmFja3BvcnQgb2YgWFNBLTMyMSBt aXNzZWQgYSBmbHVzaCBpbiBhdG9taWNfd3JpdGVfZXB0X2VudHJ5IHdoZW4K bGV2ZWwgd2FzIGRpZmZlcmVudCB0aGFuIDAuIFN1Y2ggb21pc3Npb24gd2ls bCB1bmRlcm1pbmUgdGhlIGZpeCBmb3IKWFNBLTMyMSwgYmVjYXVzZSBwYWdl IHRhYmxlIGVudHJpZXMgY2FjaGVkIGluIHRoZSBJT01NVSBjYW4gZ2V0IG91 dApvZiBzeW5jIGFuZCBjb250YWluIHN0YWxlIGVudHJpZXMuCgpGaXggdGhp cyBieSBzbGlnaHRseSByZS1hcnJhbmdpbmcgdGhlIGNvZGUgdG8gcHJldmVu dCB0aGUgZWFybHkgcmV0dXJuCndoZW4gbGV2ZWwgaXMgZGlmZmVyZW50IHRo YXQgMC4gTm90ZSB0aGF0IHRoZSBlYXJseSByZXR1cm4gaXMganVzdCBhbgpv cHRpbWl6YXRpb24gYmVjYXVzZSBmb3JlaWduIGVudHJpZXMgY2Fubm90IGhh dmUgbGV2ZWwgPiAwLgoKVGhpcyBpcyBYU0EtMzY2LgoKUmVwb3J0ZWQtYnk6 IE0uIFZlZmEgQmljYWtjaSA8bS52LmJAcnVuYm94LmNvbT4KU2lnbmVkLW9m Zi1ieTogUm9nZXIgUGF1IE1vbm7DqSA8cm9nZXIucGF1QGNpdHJpeC5jb20+ ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ Ci0tLQogeGVuL2FyY2gveDg2L21tL3AybS1lcHQuYyB8IDcgKy0tLS0tLQog MSBmaWxlIGNoYW5nZWQsIDEgaW5zZXJ0aW9uKCspLCA2IGRlbGV0aW9ucygt KQoKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni9tbS9wMm0tZXB0LmMgYi94 ZW4vYXJjaC94ODYvbW0vcDJtLWVwdC5jCmluZGV4IDAzNjc3MWY0M2MuLmZk ZTJmNWY3ZTMgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9wMm0tZXB0 LmMKKysrIGIveGVuL2FyY2gveDg2L21tL3AybS1lcHQuYwpAQCAtNTMsMTIg KzUzLDcgQEAgc3RhdGljIGludCBhdG9taWNfd3JpdGVfZXB0X2VudHJ5KGVw dF9lbnRyeV90ICplbnRyeXB0ciwgZXB0X2VudHJ5X3QgbmV3LAogICAgIGJv b2xfdCBjaGVja19mb3JlaWduID0gKG5ldy5tZm4gIT0gZW50cnlwdHItPm1m biB8fAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIG5ldy5zYV9wMm10 ICE9IGVudHJ5cHRyLT5zYV9wMm10KTsKIAotICAgIGlmICggbGV2ZWwgKQot ICAgIHsKLSAgICAgICAgQVNTRVJUKCFpc19lcHRlX3N1cGVycGFnZSgmbmV3 KSB8fCAhcDJtX2lzX2ZvcmVpZ24obmV3LnNhX3AybXQpKTsKLSAgICAgICAg d3JpdGVfYXRvbWljKCZlbnRyeXB0ci0+ZXB0ZSwgbmV3LmVwdGUpOwotICAg ICAgICByZXR1cm4gMDsKLSAgICB9CisgICAgQVNTRVJUKCFsZXZlbCB8fCAh aXNfZXB0ZV9zdXBlcnBhZ2UoJm5ldykgfHwgIXAybV9pc19mb3JlaWduKG5l dy5zYV9wMm10KSk7CiAKICAgICBpZiAoIHVubGlrZWx5KHAybV9pc19mb3Jl aWduKG5ldy5zYV9wMm10KSkgKQogICAgIHsK --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Feb 23 16:37:53 2021 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 23 Feb 2021 16:37:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.88906.167356 (Exim 4.92) (envelope-from ) id 1lEagk-0000TG-Pj; Tue, 23 Feb 2021 16:37:30 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 88906.167356; Tue, 23 Feb 2021 16:37:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lEagk-0000T7-Lm; Tue, 23 Feb 2021 16:37:30 +0000 Received: by outflank-mailman (input) for mailman id 88906; Tue, 23 Feb 2021 16:37:28 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lEagi-0000NY-Sd for xen-announce@lists.xen.org; Tue, 23 Feb 2021 16:37:28 +0000 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id b1d8a33d-122f-4862-9164-9e8b412781fa; Tue, 23 Feb 2021 16:37:14 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lEagN-0007HJ-Gl; Tue, 23 Feb 2021 16:37:07 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1lEagN-0005TY-Eq; Tue, 23 Feb 2021 16:37:07 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: b1d8a33d-122f-4862-9164-9e8b412781fa DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:CC:From:To:MIME-Version: Content-Transfer-Encoding:Content-Type; bh=ZVKCACDsa88A+J2oOVB0FQlmNUn9GbX8Js0ggX9rhno=; b=4xAMLjnvN7z2GsUYt2gylMU/d3 t0UDA9v/XLyQ/WnKNPWWUBppja+J7Ci2nu4Mc+WZ7ozb9Z+PPcjPfIDlisZwVqIT9v1MrsyFhrN3F WHFqe3f5ZCx+6peklvNXnB/DEU1MDoc8ca5nNZrg+MzvbSmtwWVpACK2+T1T4PYaXeN8=; Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 366 v2 (CVE-2021-27379) - missed flush in XSA-321 backport Message-Id: Date: Tue, 23 Feb 2021 16:37:07 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2021-27379 / XSA-366 version 2 missed flush in XSA-321 backport UPDATES IN VERSION 2 ==================== CVE assigned. Fixed erroneous reference to XSA-320; should have read XSA-321. ISSUE DESCRIPTION ================= An oversight was made when backporting XSA-321, leading entries in the IOMMU not being properly updated under certain circumstances. IMPACT ====== A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== Xen versions up to 4.11, from at least 3.2 onwards, are affected. Xen versions 4.12 and newer are not affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible. MITIGATION ========== Suppressing the use of page table sharing will avoid the vulnerability (command line option "iommu=no-sharept"). Suppressing the use of large HAP pages will avoid the vulnerability (command line options "hap_2mb=no hap_1gb=no"). Not passing through PCI devices to HVM guests will avoid the vulnerability. CREDITS ======= This issue was reported as a bug by M. Vefa Bicakci, and recognized as a security issue by Roger Pau Monne of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa366-4.11.patch Xen 4.11.x $ sha256sum xsa366* 3131c9487b9446655e2e21df4ccf1e003bec471881396d7b2b1a0939f5cbae96 xsa366.meta 8c8c18ca8425e6167535c3cf774ffeb9dcb4572e81c8d2ff4a73fefede2d4d94 xsa366-4.11.patch $ NOTE REGARDING LACK OF EMBARGO ============================== This was reported and debugged publicly, before the security implications were apparent. -----BEGIN PGP SIGNATURE----- iQE/BAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmA1Lx4MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZXRkH+MsCFrh/HOCaqzbdlT46sZBSS3B7wMjaCt4WtB8z MKxRY013/MMi7xbOhMvLE/qEtT8cdkOykxac9WjMnAPk2NQE3L3uRvoWsS8cYLa6 39RklCw0o/0YTsiY4bB5X1jI+8dBZxt4QPYl1YQqsLOHTlSJFix2Vm6w/K8+BZt9 ceS58GEoAawwlkVXdSH2115rSVRoBUZqgHCkPIc6eOjAmXCPL++8uUToWWhiROWD Ic0STLsf/Rt44G71rPh8GoFdncIBULcPlp1LbxCUEzRVhdmeb1/shs79vsIk0Z3l c2oHzypyS15p/kdQbulGTXDFq933C4ELtjrY/HwPumJSdg== =er6n -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa366.meta" Content-Disposition: attachment; filename="xsa366.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAzNjYsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg IjQuMTEiCiAgXSwKICAiVHJlZXMiOiBbCiAgICAieGVuIgogIF0sCiAgIlJl Y2lwZXMiOiB7CiAgICAiNC4xMSI6IHsKICAgICAgIlJlY2lwZXMiOiB7CiAg ICAgICAgInhlbiI6IHsKICAgICAgICAgICJTdGFibGVSZWYiOiAiODBjYWQ1 ODRmYjRjMjU5OWFlMTc0MjI2ZTJjOTEzYmIyM2RmM2JmYSIsCiAgICAgICAg ICAiUHJlcmVxcyI6IFtdLAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAg ICAgICAgICJ4c2EzNjYtNC4xMS5wYXRjaCIKICAgICAgICAgIF0KICAgICAg ICB9CiAgICAgIH0KICAgIH0KICB9Cn0= --=separator Content-Type: application/octet-stream; name="xsa366-4.11.patch" Content-Disposition: attachment; filename="xsa366-4.11.patch" Content-Transfer-Encoding: base64 RnJvbTogUm9nZXIgUGF1IE1vbm5lIDxyb2dlci5wYXVAY2l0cml4LmNvbT4K U3ViamVjdDogeDg2L2VwdDogZml4IG1pc3NpbmcgSU9NTVUgZmx1c2ggaW4g YXRvbWljX3dyaXRlX2VwdF9lbnRyeQoKQmFja3BvcnQgb2YgWFNBLTMyMSBt aXNzZWQgYSBmbHVzaCBpbiBhdG9taWNfd3JpdGVfZXB0X2VudHJ5IHdoZW4K bGV2ZWwgd2FzIGRpZmZlcmVudCB0aGFuIDAuIFN1Y2ggb21pc3Npb24gd2ls bCB1bmRlcm1pbmUgdGhlIGZpeCBmb3IKWFNBLTMyMSwgYmVjYXVzZSBwYWdl IHRhYmxlIGVudHJpZXMgY2FjaGVkIGluIHRoZSBJT01NVSBjYW4gZ2V0IG91 dApvZiBzeW5jIGFuZCBjb250YWluIHN0YWxlIGVudHJpZXMuCgpGaXggdGhp cyBieSBzbGlnaHRseSByZS1hcnJhbmdpbmcgdGhlIGNvZGUgdG8gcHJldmVu dCB0aGUgZWFybHkgcmV0dXJuCndoZW4gbGV2ZWwgaXMgZGlmZmVyZW50IHRo YXQgMC4gTm90ZSB0aGF0IHRoZSBlYXJseSByZXR1cm4gaXMganVzdCBhbgpv cHRpbWl6YXRpb24gYmVjYXVzZSBmb3JlaWduIGVudHJpZXMgY2Fubm90IGhh dmUgbGV2ZWwgPiAwLgoKVGhpcyBpcyBYU0EtMzY2LgoKUmVwb3J0ZWQtYnk6 IE0uIFZlZmEgQmljYWtjaSA8bS52LmJAcnVuYm94LmNvbT4KU2lnbmVkLW9m Zi1ieTogUm9nZXIgUGF1IE1vbm7DqSA8cm9nZXIucGF1QGNpdHJpeC5jb20+ ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ Ci0tLQogeGVuL2FyY2gveDg2L21tL3AybS1lcHQuYyB8IDcgKy0tLS0tLQog MSBmaWxlIGNoYW5nZWQsIDEgaW5zZXJ0aW9uKCspLCA2IGRlbGV0aW9ucygt KQoKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni9tbS9wMm0tZXB0LmMgYi94 ZW4vYXJjaC94ODYvbW0vcDJtLWVwdC5jCmluZGV4IDAzNjc3MWY0M2MuLmZk ZTJmNWY3ZTMgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9wMm0tZXB0 LmMKKysrIGIveGVuL2FyY2gveDg2L21tL3AybS1lcHQuYwpAQCAtNTMsMTIg KzUzLDcgQEAgc3RhdGljIGludCBhdG9taWNfd3JpdGVfZXB0X2VudHJ5KGVw dF9lbnRyeV90ICplbnRyeXB0ciwgZXB0X2VudHJ5X3QgbmV3LAogICAgIGJv b2xfdCBjaGVja19mb3JlaWduID0gKG5ldy5tZm4gIT0gZW50cnlwdHItPm1m biB8fAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIG5ldy5zYV9wMm10 ICE9IGVudHJ5cHRyLT5zYV9wMm10KTsKIAotICAgIGlmICggbGV2ZWwgKQot ICAgIHsKLSAgICAgICAgQVNTRVJUKCFpc19lcHRlX3N1cGVycGFnZSgmbmV3 KSB8fCAhcDJtX2lzX2ZvcmVpZ24obmV3LnNhX3AybXQpKTsKLSAgICAgICAg d3JpdGVfYXRvbWljKCZlbnRyeXB0ci0+ZXB0ZSwgbmV3LmVwdGUpOwotICAg ICAgICByZXR1cm4gMDsKLSAgICB9CisgICAgQVNTRVJUKCFsZXZlbCB8fCAh aXNfZXB0ZV9zdXBlcnBhZ2UoJm5ldykgfHwgIXAybV9pc19mb3JlaWduKG5l dy5zYV9wMm10KSk7CiAKICAgICBpZiAoIHVubGlrZWx5KHAybV9pc19mb3Jl aWduKG5ldy5zYV9wMm10KSkgKQogICAgIHsK --=separator--