From xen-announce-bounces@lists.xenproject.org Tue Jan 25 12:05:23 2022 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 25 Jan 2022 12:05:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.260139.449429 (Exim 4.92) (envelope-from ) id 1nCKZ8-0006D9-U5; Tue, 25 Jan 2022 12:04:50 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 260139.449429; Tue, 25 Jan 2022 12:04:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nCKZ8-0006D2-Qi; Tue, 25 Jan 2022 12:04:50 +0000 Received: by outflank-mailman (input) for mailman id 260139; Tue, 25 Jan 2022 12:04:49 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nCKZ7-0006BM-0Z for xen-announce@lists.xen.org; Tue, 25 Jan 2022 12:04:49 +0000 Received: from mail.xenproject.org (mail.xenproject.org [104.130.215.37]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id faf104b6-7dd6-11ec-8fa7-f31e035a9116; Tue, 25 Jan 2022 13:04:47 +0100 (CET) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nCKYs-0004kG-W8; Tue, 25 Jan 2022 12:04:34 +0000 Received: from julieng by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1nCKYs-0003Jt-US; Tue, 25 Jan 2022 12:04:34 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: faf104b6-7dd6-11ec-8fa7-f31e035a9116 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:CC:From:To:MIME-Version: Content-Transfer-Encoding:Content-Type; bh=qX2YEVkY7JqVsTpOdQxu4gk9Ky+TnCWQCxgaveBaVbY=; b=0CY4DhSgFtkiITkyx2fUQhJ6Dd aHObZiFOgYuufDM99Njrd6+gz5rKX49/WaGUPB10j1xSZJgVhcvj+1pTZCxzEu0fCD5Iahck30RRK 3Z+WyDnSvqu7uvPDRZMLNLE+VarfbXOyxuQ5U01VXFqW8RpLDRIKHR56YKN7jMhALft0=; Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 393 v2 (CVE-2022-23033) - arm: guest_physmap_remove_page not removing the p2m mappings Message-Id: Date: Tue, 25 Jan 2022 12:04:34 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-23033 / XSA-393 version 2 arm: guest_physmap_remove_page not removing the p2m mappings UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes. IMPACT ====== A malicious guest may be able to access Xen and other domains' memory. This could cause information leaks, host or domain Denial of Service (DoS), and privilege escalations. VULNERABLE SYSTEMS ================== Xen version 4.12 and newer are vulnerable. Only Arm systems are vulnerable. x86 systems are not vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Dmytro Firsov of EPAM. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa393.patch xen-unstable - Xen 4.12.x $ sha256sum xsa393* ccd746687c6080ec00ba363477d8815bc648d957c21c47d3a5330be9251806a4 xsa393.meta 89e5d66c437bacbe344e72d15720c1dde98dd97fab7184c7a6ff32bb63d442dd xsa393.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmHv38oMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZfAcH/iXwGyTpGU7AIOGNGH1VYnn3FBAVBvT4etuPXO8o heX252xCZNh7M7qel/Db1aaAMpo2T2ypH02ZguKsojnoRAo4QrEjrnBGsCasfzqv HFd3nMlmksNlKI9xGPxt+Q6eNuoEHgu7i/7r3J2DgiC/Pa5Hw4SMF2eat7Er5zDL waDHFkiONa6LM/dtgZkkgps5d3B8cR4tXo3VDLzBC0pK3IysSLnacLy7FfvLg7c0 pc/qFvUXbsFjKVmG+EKu8VlCpkWONFP1FXC4pfM+rSjDdVhmc8FhFzOLzD6Tkptt MJhgOCMrO1Z//F07l0B9C9sxVi7K5mUDSWhonUQVPCWgl2s= =06Nb -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa393.meta" Content-Disposition: attachment; filename="xsa393.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAzOTMsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xNiIsCiAgICAiNC4xNSIsCiAgICAiNC4xNCIs CiAgICAiNC4xMyIsCiAgICAiNC4xMiIKICBdLAogICJUcmVlcyI6IFsKICAg ICJ4ZW4iCiAgXSwKICAiUmVjaXBlcyI6IHsKICAgICI0LjEyIjogewogICAg ICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0 YWJsZVJlZiI6ICJiOWFhMTYzNWIzOGE3YmMwOTJkNjAxMjNiODdjNTQ1ZjI1 ZGIzMWU0IiwKICAgICAgICAgICJQcmVyZXFzIjogW10sCiAgICAgICAgICAi UGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTM5My5wYXRjaCIKICAgICAg ICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAgICAiNC4xMyI6IHsK ICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsKICAgICAgICAg ICJTdGFibGVSZWYiOiAiZDBlMmMyNzYyYjk4MWFiZDk4NGFmNjZhODQ0YWMx MmQ4YmY4ZjgxMyIsCiAgICAgICAgICAiUHJlcmVxcyI6IFtdLAogICAgICAg ICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2EzOTMucGF0Y2giCiAg ICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAgIjQuMTQi OiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAg ICAgICAiU3RhYmxlUmVmIjogImNiYWRmNjdiY2FiNGUyOWM4ODM0MTBkYjM5 M2Y0ZjVlZjM0ZGYwNGEiLAogICAgICAgICAgIlByZXJlcXMiOiBbXSwKICAg ICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNhMzkzLnBhdGNo IgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwKICAgICI0 LjE1IjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewog ICAgICAgICAgIlN0YWJsZVJlZiI6ICJhYmEyMmM2N2VmZTQ0MDRhMmE4NGUz NzhiZmQ5OGRlZjVlYzhlNjQ3IiwKICAgICAgICAgICJQcmVyZXFzIjogW10s CiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTM5My5w YXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAg ICAiNC4xNiI6IHsKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6 IHsKICAgICAgICAgICJTdGFibGVSZWYiOiAiZDBkMGFmNjdlZWRlNTYwZmFh YjU4ZjE2MWQ5NjA4YTY5Yzc3OWQ0MSIsCiAgICAgICAgICAiUHJlcmVxcyI6 IFtdLAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2Ez OTMucGF0Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9 LAogICAgIm1hc3RlciI6IHsKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAg InhlbiI6IHsKICAgICAgICAgICJTdGFibGVSZWYiOiAiMzFmM2JjOTdmNDUw ODY4NzIxNWU0NTlhNWUzNTY3NmVlY2YxNzcyYiIsCiAgICAgICAgICAiUHJl cmVxcyI6IFtdLAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAg ICJ4c2EzOTMucGF0Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9 CiAgICB9CiAgfQp9 --=separator Content-Type: application/octet-stream; name="xsa393.patch" Content-Disposition: attachment; filename="xsa393.patch" Content-Transfer-Encoding: base64 RnJvbSA3ZmY1OGFiNzcwMTU3YTAzYzkyNjA0MTU1YTBjNzQ1YmNhYjgzNGMy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKdWxpZW4gR3JhbGwg PGpncmFsbEBhbWF6b24uY29tPgpEYXRlOiBUdWUsIDE0IERlYyAyMDIxIDA5 OjUzOjQ0ICswMDAwClN1YmplY3Q6IFtQQVRDSF0geGVuL2FybTogcDJtOiBB bHdheXMgY2xlYXIgdGhlIFAyTSBlbnRyeSB3aGVuIHRoZSBtYXBwaW5nIGlz CiByZW1vdmVkCgpDb21taXQgMjE0OGExMjViNzNiICgieGVuL2FybTogVHJh Y2sgcGFnZSBhY2Nlc3NlZCBiZXR3ZWVuIGJhdGNoIG9mClNldC9XYXkgb3Bl cmF0aW9ucyIpIGFsbG93ZWQgYW4gZW50cnkgdG8gYmUgaW52YWxpZCBmcm9t IHRoZSBDUFUgUG9WCihscGFlX2lzX3ZhbGlkKCkpIGJ1dCB2YWxpZCBmb3Ig WGVuIChwMm1faXNfdmFsaWQoKSkuIFRoaXMgaXMgdXNlZnVsCnRvIHRyYWNr IHdoaWNoIHBhZ2UgaXMgYWNjZXNzZWQgYW5kIG9ubHkgcGVyZm9ybSBhbiBh Y3Rpb24gb24gdGhlbQooZS5nLiBjbGVhbiAmIGludmFsaWRhdGUgdGhlIGNh Y2hlIGFmdGVyIGEgc2V0L3dheSBpbnN0cnVjdGlvbikuCgpVbmZvcnR1bmF0 ZWx5LCBfX3AybV9zZXRfZW50cnkoKSBpcyBvbmx5IHplcm9pbmcgdGhlIFAy TSBlbnRyeSB3aGVuCmxwYWVfaXNfdmFsaWQoKSByZXR1cm5zIHRydWUuIFRo aXMgbWVhbnMgdGhlIGVudHJ5IHdpbGwgbm90IGJlIHplcm9lZAppZiB0aGUg ZW50cnkgd2FzIHZhbGlkIGZyb20gWGVuIFBvViBidXQgaW52YWxpZCBmcm9t IHRoZSBDUFUgUG9WIGZvcgp0cmFja2luZyBwdXJwb3NlLgoKQXMgYSBjb25z ZXF1ZW5jZSwgdGhpcyB3aWxsIGFsbG93IGEgZG9tYWluIHRvIGNvbnRpbnVl IHRvIGFjY2VzcyB0aGUKcGFnZSBhZnRlciBpdCB3YXMgcmVtb3ZlZC4KClJl c29sdmUgdGhlIGlzc3VlIGJ5IGFsd2F5cyB6ZXJvaW5nIHRoZSBlbnRyeSBp ZiBpdCB0aGUgTFBBRSBiaXQgaXMKc2V0IG9yIHRoZSBlbnRyeSBpcyBhYm91 dCB0byBiZSByZW1vdmVkLgoKVGhpcyBpcyBDVkUtMjAyMi0yMzAzMyAvIFhT QS0zOTMuCgpSZXBvcnRlZC1ieTogRG15dHJvIEZpcnNvdiA8RG15dHJvX0Zp cnNvdkBlcGFtLmNvbT4KRml4ZXM6IDIxNDhhMTI1YjczYiAoInhlbi9hcm06 IFRyYWNrIHBhZ2UgYWNjZXNzZWQgYmV0d2VlbiBiYXRjaCBvZiBTZXQvV2F5 IG9wZXJhdGlvbnMiKQpSZXZpZXdlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5p IDxzc3RhYmVsbGluaUBrZXJuZWwub3JnPgpTaWduZWQtb2ZmLWJ5OiBKdWxp ZW4gR3JhbGwgPGpncmFsbEBhbWF6b24uY29tPgotLS0KIHhlbi9hcmNoL2Fy bS9wMm0uYyB8IDIgKy0KIDEgZmlsZSBjaGFuZ2VkLCAxIGluc2VydGlvbigr KSwgMSBkZWxldGlvbigtKQoKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS9w Mm0uYyBiL3hlbi9hcmNoL2FybS9wMm0uYwppbmRleCA4YjIwYjQzMDc3N2Uu LmZiNzFmYTRjMWM5MCAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL3AybS5j CisrKyBiL3hlbi9hcmNoL2FybS9wMm0uYwpAQCAtMTAxNiw3ICsxMDE2LDcg QEAgc3RhdGljIGludCBfX3AybV9zZXRfZW50cnkoc3RydWN0IHAybV9kb21h aW4gKnAybSwKICAgICAgKiBzZXF1ZW5jZSB3aGVuIHVwZGF0aW5nIHRoZSB0 cmFuc2xhdGlvbiB0YWJsZSAoRDQuNy4xIGluIEFSTSBEREkKICAgICAgKiAw NDg3QS5qKS4KICAgICAgKi8KLSAgICBpZiAoIGxwYWVfaXNfdmFsaWQob3Jp Z19wdGUpICkKKyAgICBpZiAoIGxwYWVfaXNfdmFsaWQob3JpZ19wdGUpIHx8 IHJlbW92aW5nX21hcHBpbmcgKQogICAgICAgICBwMm1fcmVtb3ZlX3B0ZShl bnRyeSwgcDJtLT5jbGVhbl9wdGUpOwogCiAgICAgaWYgKCByZW1vdmluZ19t YXBwaW5nICkKLS0gCjIuMzIuMAoK --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Jan 25 12:05:23 2022 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 25 Jan 2022 12:05:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.260152.449489 (Exim 4.92) (envelope-from ) id 1nCKZd-00081C-Er; Tue, 25 Jan 2022 12:05:21 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 260152.449489; Tue, 25 Jan 2022 12:05:21 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nCKZd-000805-8z; Tue, 25 Jan 2022 12:05:21 +0000 Received: by outflank-mailman (input) for mailman id 260152; Tue, 25 Jan 2022 12:05:20 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nCKZc-0006BM-7i for xen-announce@lists.xen.org; Tue, 25 Jan 2022 12:05:20 +0000 Received: from mail.xenproject.org (mail.xenproject.org [104.130.215.37]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 0bf4ba89-7dd7-11ec-8fa7-f31e035a9116; Tue, 25 Jan 2022 13:05:13 +0100 (CET) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nCKZL-0004le-52; Tue, 25 Jan 2022 12:05:03 +0000 Received: from julieng by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1nCKZL-0003VD-3e; Tue, 25 Jan 2022 12:05:03 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: 0bf4ba89-7dd7-11ec-8fa7-f31e035a9116 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:CC:From:To:MIME-Version: Content-Transfer-Encoding:Content-Type; bh=VmWNriyLFTfh/JVHKywpt4uT0cVmAH/APAeCVQbFqMY=; b=hz90k1v8QUUKTW/XFAOfDgI4Uu bgzM72nUMBiO1rv9abWUONjbjiWVCXSsfMMvlfM7N/zCKYQLb67nHx/1oHq9/S+l1zbFIpcmEza3V Gi4HvGtwJSb//kS4ALnw18cZ/Ag+Zv44Ns2pEAHol5s+cNgB4L7xfqAN2L0Eg/7gQdvA=; Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 394 v3 (CVE-2022-23034) - A PV guest could DoS Xen while unmapping a grant Message-Id: Date: Tue, 25 Jan 2022 12:05:03 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-23034 / XSA-394 version 3 A PV guest could DoS Xen while unmapping a grant UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check. IMPACT ====== Malicious guest kernels may be able to mount a Denial of Service (DoS) attack affecting the entire system. VULNERABLE SYSTEMS ================== All Xen versions from at least 3.2 onwards are vulnerable in principle, if they have the XSA-380 fixes applied. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only x86 PV guests with access to PCI devices can leverage the vulnerability. x86 HVM and PVH guests, as well as PV guests without access to PCI devices, cannot leverage the vulnerability. Additionally from Xen 4.13 onwards x86 PV guests can leverage this vulnerability only when being granted access to pages owned by another domain. MITIGATION ========== Not running PV guests will avoid the vulnerability. For Xen 4.12 and older not passing through PCI devices to PV guests will avoid the vulnerability. For Xen 4.13 and newer not enabling PCI device pass-through for PV guests will avoid the vulnerability. This can be achieved via omitting any "passthrough=..." and "pci=..." settings from xl guest configuration files, or by setting "passthrough=disabled" there. - From Xen 4.13 onwards, XSM SILO can be available as a security policy designed to permit guests to only be able to communicate with Dom0. Dom0 does not normally offer its pages for guests to map, which means the use of SILO mode normally mitigates the vulnerability. CREDITS ======= This issue was discovered by Julien Grall of Amazon. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa394.patch xen-unstable - Xen 4.13.x xsa394-4.12.patch Xen 4.12.x $ sha256sum xsa394* 93f4d3b58d49ba239115753c9905b7c3720b438c48ef8fb701f15081aa317159 xsa394.meta f2a3420e8d3eb1cf728f90d3c352ace0d3c67f7933201ce9b784d63afaeaa179 xsa394.patch ee93797546ac9e82f98211366f9acc733332b0d5ab7ef73840c2acd2bb1439ca xsa394-4.12.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public- facing systems with untrusted guest users and administrators. HOWEVER, deployment of the mitigations described above is NOT permitted during the embargo on public-facing systems with untrusted guest users and administrators. This is because such a configuration change is recognizable by the affected guests. AND: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmHv39IMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZfCYH/iZn73/JRTKI7B+9v2fW6v/k1IcVhpu+N4+TuRhh Al5igmiTJLU3LcHM/H2KScgtnSwEKfCyddY1Gt3MZ+5lBDwR8elRkPdqn+P7xfol 4D5NgnEJDAYUWwJZOFn0qWfqNDnDkAvuKpm1zmv8RE0Xmw6a74Fvbfvi8PCuN9CO zdippi5r5FlzFU7Q5MoWmOhmvVe3Fg7tGs4GXIyVUYkpDYyBGEWBo6rcoQ5aDvir g8T0P1Y8XKCVvYM9SOdKWENppam0uIh00Mm+QDjQNaXD4I3DCDXLXkT7OGImZglr MW8z5iNFjd0iXxFqTVBe1omxUhLC1xcB1fNySjd3zpt3RfA= =mIA+ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa394.meta" Content-Disposition: attachment; filename="xsa394.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAzOTQsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xNiIsCiAgICAiNC4xNSIsCiAgICAiNC4xNCIs CiAgICAiNC4xMyIsCiAgICAiNC4xMiIKICBdLAogICJUcmVlcyI6IFsKICAg ICJ4ZW4iCiAgXSwKICAiUmVjaXBlcyI6IHsKICAgICI0LjEyIjogewogICAg ICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0 YWJsZVJlZiI6ICJiOWFhMTYzNWIzOGE3YmMwOTJkNjAxMjNiODdjNTQ1ZjI1 ZGIzMWU0IiwKICAgICAgICAgICJQcmVyZXFzIjogWwogICAgICAgICAgICAz OTMKICAgICAgICAgIF0sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAg ICAgICAgInhzYTM5NC00LjEyLnBhdGNoIgogICAgICAgICAgXQogICAgICAg IH0KICAgICAgfQogICAgfSwKICAgICI0LjEzIjogewogICAgICAiUmVjaXBl cyI6IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6 ICJkMGUyYzI3NjJiOTgxYWJkOTg0YWY2NmE4NDRhYzEyZDhiZjhmODEzIiwK ICAgICAgICAgICJQcmVyZXFzIjogWwogICAgICAgICAgICAzOTMKICAgICAg ICAgIF0sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhz YTM5NC5wYXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAg IH0sCiAgICAiNC4xNCI6IHsKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAg InhlbiI6IHsKICAgICAgICAgICJTdGFibGVSZWYiOiAiY2JhZGY2N2JjYWI0 ZTI5Yzg4MzQxMGRiMzkzZjRmNWVmMzRkZjA0YSIsCiAgICAgICAgICAiUHJl cmVxcyI6IFsKICAgICAgICAgICAgMzkzCiAgICAgICAgICBdLAogICAgICAg ICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2EzOTQucGF0Y2giCiAg ICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAgIjQuMTUi OiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAg ICAgICAiU3RhYmxlUmVmIjogImFiYTIyYzY3ZWZlNDQwNGEyYTg0ZTM3OGJm ZDk4ZGVmNWVjOGU2NDciLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAg ICAgICAgIDM5MwogICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjog WwogICAgICAgICAgICAieHNhMzk0LnBhdGNoIgogICAgICAgICAgXQogICAg ICAgIH0KICAgICAgfQogICAgfSwKICAgICI0LjE2IjogewogICAgICAiUmVj aXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJl ZiI6ICJkMGQwYWY2N2VlZGU1NjBmYWFiNThmMTYxZDk2MDhhNjljNzc5ZDQx IiwKICAgICAgICAgICJQcmVyZXFzIjogWwogICAgICAgICAgICAzOTMKICAg ICAgICAgIF0sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAg InhzYTM5NC5wYXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0K ICAgIH0sCiAgICAibWFzdGVyIjogewogICAgICAiUmVjaXBlcyI6IHsKICAg ICAgICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6ICIzMWYzYmM5 N2Y0NTA4Njg3MjE1ZTQ1OWE1ZTM1Njc2ZWVjZjE3NzJiIiwKICAgICAgICAg ICJQcmVyZXFzIjogWwogICAgICAgICAgICAzOTMKICAgICAgICAgIF0sCiAg ICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTM5NC5wYXRj aCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0KICB9Cn0= --=separator Content-Type: application/octet-stream; name="xsa394.patch" Content-Disposition: attachment; filename="xsa394.patch" Content-Transfer-Encoding: base64 RnJvbSBhOGJkZWU3YTMwZDBjZDEzMzQxZDJjYTE3NTM1NjliMTcxZGFmNWI4 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKdWxpZW4gR3JhbGwg PGpncmFsbEBhbWF6b24uY29tPgpEYXRlOiBGcmksIDE5IE5vdiAyMDIxIDEx OjI3OjQ3ICswMDAwClN1YmplY3Q6IFtQQVRDSF0geGVuL2dyYW50LXRhYmxl OiBPbmx5IGRlY3JlbWVudCB0aGUgcmVmY291bnRlciB3aGVuIGdyYW50IGlz CiBmdWxseSB1bm1hcHBlZAoKVGhlIGdyYW50IHVubWFwcGluZyBoeXBlcmNh bGwgKEdOVFRBQk9QX3VubWFwX2dyYW50X3JlZikgaXMgbm90IGEKc2ltcGxl IHJldmVydCBvZiB0aGUgY2hhbmdlcyBkb25lIGJ5IHRoZSBncmFudCBtYXBw aW5nIGh5cGVyY2FsbAooR05UVEFCT1BfbWFwX2dyYW50X3JlZikuCgpJbnN0 ZWFkLCBpdCBpcyBwb3NzaWJsZSB0byBwYXJ0aWFsbHkgKG9yIGV2ZW4gbm90 KSBjbGVhciBzb21lIGZsYWdzLgpUaGlzIHdpbGwgbGVhdmUgdGhlIGdyYW50 IGlzIG1hcHBlZCB1bnRpbCBhIGZ1dHVyZSBjYWxsIHdoZXJlIGFsbAp0aGUg ZmxhZ3Mgd291bGQgYmUgY2xlYXJlZC4KClhTQS0zODAgaW50cm9kdWNlZCBh IHJlZmNvdW50aW5nIHRoYXQgaXMgbWVhbnQgdG8gb25seSBiZSBkcm9wcGVk CndoZW4gdGhlIGdyYW50IGlzIGZ1bGx5IHVubWFwcGVkLiBVbmZvcnR1bmF0 ZWx5LCB1bm1hcF9jb21tb24oKSB3aWxsCmRlY3JlbWVudCB0aGUgcmVmY291 bnQgZm9yIGV2ZXJ5IHN1Y2Nlc3NmdWwgY2FsbC4KCkEgY29uc2VxdWVuY2Ug aXMgYSBkb21haW4gd291bGQgYmUgYWJsZSB0byB1bmRlcmZsb3cgdGhlIHJl ZmNvdW50CmFuZCB0cmlnZ2VyIGEgQlVHKCkuCgpMb29raW5nIGF0IHRoZSBj b2RlLCBpdCBpcyBub3QgY2xlYXIgdG8gbWUgd2h5IGEgZG9tYWluIHdvdWxk CndhbnQgdG8gcGFydGlhbGx5IGNsZWFyIHNvbWUgZmxhZ3MgaW4gdGhlIGdy YW50LXRhYmxlLiBCdXQgYXMKdGhpcyBpcyBwYXJ0IG9mIHRoZSBBQkksIGl0 IGlzIGJldHRlciB0byBub3QgY2hhbmdlIHRoZSBiZWhhdmlvcgpmb3Igbm93 LgoKRml4IGl0IGJ5IGNoZWNraW5nIGlmIHRoZSBtYXB0cmFjayBoYW5kbGUg aGFzIGJlZW4gcmVsZWFzZWQgYmVmb3JlCmRlY3JlbWVudGluZyB0aGUgcmVm Y291bnRpbmcuCgpUaGlzIGlzIENWRS0yMDIyLTIzMDM0IC8gWFNBLTM5NC4K CkZpeGVzOiA5NzgxYjUxZWZkZTIgKCJnbnR0YWI6IHJlcGxhY2UgbWFwa2lu ZCgpIikKU2lnbmVkLW9mZi1ieTogSnVsaWVuIEdyYWxsIDxqZ3JhbGxAYW1h em9uLmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBz dXNlLmNvbT4KLS0tCiB4ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMgfCAxMSAr KysrKysrKystLQogMSBmaWxlIGNoYW5nZWQsIDkgaW5zZXJ0aW9ucygrKSwg MiBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS94ZW4vY29tbW9uL2dyYW50 X3RhYmxlLmMgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKaW5kZXggMDI2 MmYyYzQ4YWY4Li5lZDFlMmZhYmNlYTYgMTAwNjQ0Ci0tLSBhL3hlbi9jb21t b24vZ3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxl LmMKQEAgLTE0ODgsOCArMTQ4OCwxNSBAQCB1bm1hcF9jb21tb24oCiAgICAg aWYgKCBwdXRfaGFuZGxlICkKICAgICAgICAgcHV0X21hcHRyYWNrX2hhbmRs ZShsZ3QsIG9wLT5oYW5kbGUpOwogCi0gICAgLyogU2VlIHRoZSByZXNwZWN0 aXZlIGNvbW1lbnQgaW4gbWFwX2dyYW50X3JlZigpLiAqLwotICAgIGlmICgg cmMgPT0gR05UU1Rfb2theSAmJiBsZCAhPSByZCAmJiBnbnR0YWJfbmVlZF9p b21tdV9tYXBwaW5nKGxkKSApCisgICAgLyoKKyAgICAgKiBtYXBfZ3JhbnRf cmVmKCkgd2lsbCBvbmx5IGluY3JlbWVudCB0aGUgcmVmY291bnQgKGFuZCB1 cGRhdGUgdGhlCisgICAgICogSU9NTVUpIG9uY2UgcGVyIG1hcHBpbmcuIFNv IHdlIG9ubHkgd2FudCB0byBkZWNyZW1lbnQgaXQgb25jZSB0aGUKKyAgICAg KiBtYXB0cmFjayBoYW5kbGUgaGFzIGJlZW4gcHV0LCBhbG9uZ3NpZGUgdGhl IGZ1cnRoZXIgSU9NTVUgdXBkYXRlLgorICAgICAqCisgICAgICogRm9yIHRo ZSBzZWNvbmQgYW5kIHRoaXJkIGNoZWNrLCBzZWUgdGhlIHJlc3BlY3RpdmUg Y29tbWVudCBpbgorICAgICAqIG1hcF9ncmFudF9yZWYoKS4KKyAgICAgKi8K KyAgICBpZiAoIHB1dF9oYW5kbGUgJiYgbGQgIT0gcmQgJiYgZ250dGFiX25l ZWRfaW9tbXVfbWFwcGluZyhsZCkgKQogICAgIHsKICAgICAgICAgdm9pZCAq KnNsb3Q7CiAgICAgICAgIHVuaW9uIG1hcHRyYWNrX25vZGUgbm9kZTsKLS0g CjIuMzIuMAoK --=separator Content-Type: application/octet-stream; name="xsa394-4.12.patch" Content-Disposition: attachment; filename="xsa394-4.12.patch" Content-Transfer-Encoding: base64 RnJvbSA2MDRmYjY5MWVlZTViYmViYTc3MDEyNjQ1MWQ4ODBiOTMyNTY1ZTY1 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKdWxpZW4gR3JhbGwg PGpncmFsbEBhbWF6b24uY29tPgpEYXRlOiBXZWQsIDUgSmFuIDIwMjIgMTc6 NTU6NDggKzAwMDAKU3ViamVjdDogW1BBVENIXSB4ZW4vZ3JhbnQtdGFibGU6 IE9ubHkgZGVjcmVtZW50IHRoZSByZWZjb3VudGVyIHdoZW4gZ3JhbnQgaXMK IGZ1bGx5IHVubWFwcGVkCgpUaGUgZ3JhbnQgdW5tYXBwaW5nIGh5cGVyY2Fs bCAoR05UVEFCT1BfdW5tYXBfZ3JhbnRfcmVmKSBpcyBub3QgYQpzaW1wbGUg cmV2ZXJ0IG9mIHRoZSBjaGFuZ2VzIGRvbmUgYnkgdGhlIGdyYW50IG1hcHBp bmcgaHlwZXJjYWxsCihHTlRUQUJPUF9tYXBfZ3JhbnRfcmVmKS4KCkluc3Rl YWQsIGl0IGlzIHBvc3NpYmxlIHRvIHBhcnRpYWxseSAob3IgZXZlbiBub3Qp IGNsZWFyIHNvbWUgZmxhZ3MuClRoaXMgd2lsbCBsZWF2ZSB0aGUgZ3JhbnQg aXMgbWFwcGVkIHVudGlsIGEgZnV0dXJlIGNhbGwgd2hlcmUgYWxsCnRoZSBm bGFncyB3b3VsZCBiZSBjbGVhcmVkLgoKWFNBLTM4MCBpbnRyb2R1Y2VkIGEg cmVmY291bnRpbmcgdGhhdCBpcyBtZWFudCB0byBvbmx5IGJlIGRyb3BwZWQK d2hlbiB0aGUgZ3JhbnQgaXMgZnVsbHkgdW5tYXBwZWQuIFVuZm9ydHVuYXRl bHksIHVubWFwX2NvbW1vbigpIHdpbGwKZGVjcmVtZW50IHRoZSByZWZjb3Vu dCBmb3IgZXZlcnkgc3VjY2Vzc2Z1bCBjYWxsLgoKQSBjb25zZXF1ZW5jZSBp cyBhIGRvbWFpbiB3b3VsZCBiZSBhYmxlIHRvIHVuZGVyZmxvdyB0aGUgcmVm Y291bnQKYW5kIHRyaWdnZXIgYSBCVUcoKS4KCkxvb2tpbmcgYXQgdGhlIGNv ZGUsIGl0IGlzIG5vdCBjbGVhciB0byBtZSB3aHkgYSBkb21haW4gd291bGQK d2FudCB0byBwYXJ0aWFsbHkgY2xlYXIgc29tZSBmbGFncyBpbiB0aGUgZ3Jh bnQtdGFibGUuIEJ1dCBhcwp0aGlzIGlzIHBhcnQgb2YgdGhlIEFCSSwgaXQg aXMgYmV0dGVyIHRvIG5vdCBjaGFuZ2UgdGhlIGJlaGF2aW9yCmZvciBub3cu CgpGaXggaXQgYnkgY2hlY2tpbmcgaWYgdGhlIG1hcHRyYWNrIGhhbmRsZSBo YXMgYmVlbiByZWxlYXNlZCBiZWZvcmUKZGVjcmVtZW50aW5nIHRoZSByZWZj b3VudGluZy4KClRoaXMgaXMgQ1ZFLTIwMjItMjMwMzQgLyBYU0EtMzk0LgoK Rml4ZXM6IDk3ODFiNTFlZmRlMiAoImdudHRhYjogcmVwbGFjZSBtYXBraW5k KCkiKQpTaWduZWQtb2ZmLWJ5OiBKdWxpZW4gR3JhbGwgPGpncmFsbEBhbWF6 b24uY29tPgpSZXZpZXdlZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgotLS0KIHhlbi9jb21tb24vZ3JhbnRfdGFibGUuYyB8IDcgKysr KysrLQogMSBmaWxlIGNoYW5nZWQsIDYgaW5zZXJ0aW9ucygrKSwgMSBkZWxl dGlvbigtKQoKZGlmZiAtLWdpdCBhL3hlbi9jb21tb24vZ3JhbnRfdGFibGUu YyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwppbmRleCBlZTU3NDhlNzRl YjkuLjYxZDI5ZGY3YmRmNiAxMDA2NDQKLS0tIGEveGVuL2NvbW1vbi9ncmFu dF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpAQCAt MTQwMiw3ICsxNDAyLDEyIEBAIHVubWFwX2NvbW1vbigKICAgICBpZiAoIHB1 dF9oYW5kbGUgKQogICAgICAgICBwdXRfbWFwdHJhY2tfaGFuZGxlKGxndCwg b3AtPmhhbmRsZSk7CiAKLSAgICBpZiAoIHJjID09IEdOVFNUX29rYXkgJiYg Z250dGFiX25lZWRfaW9tbXVfbWFwcGluZyhsZCkgKQorICAgIC8qCisgICAg ICogbWFwX2dyYW50X3JlZigpIHdpbGwgb25seSBpbmNyZW1lbnQgdGhlIHJl ZmNvdW50IChhbmQgdXBkYXRlIHRoZQorICAgICAqIElPTU1VKSBvbmNlIHBl ciBtYXBwaW5nLiBTbyB3ZSBvbmx5IHdhbnQgdG8gZGVjcmVtZW50IGl0IG9u Y2UgdGhlCisgICAgICogbWFwdHJhY2sgaGFuZGxlIGhhcyBiZWVuIHB1dCwg YWxvbmdzaWRlIHRoZSBmdXJ0aGVyIElPTU1VIHVwZGF0ZS4KKyAgICAgKi8K KyAgICBpZiAoIHB1dF9oYW5kbGUgJiYgZ250dGFiX25lZWRfaW9tbXVfbWFw cGluZyhsZCkgKQogICAgIHsKICAgICAgICAgdm9pZCAqKnNsb3Q7CiAgICAg ICAgIHVuaW9uIG1hcHRyYWNrX25vZGUgbm9kZTsKLS0gCjIuMzIuMAoK --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Jan 25 12:07:11 2022 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 25 Jan 2022 12:07:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.260193.449503 (Exim 4.92) (envelope-from ) id 1nCKbE-0001XT-Rg; Tue, 25 Jan 2022 12:07:00 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 260193.449503; Tue, 25 Jan 2022 12:07:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nCKbE-0001X2-Nu; Tue, 25 Jan 2022 12:07:00 +0000 Received: by outflank-mailman (input) for mailman id 260193; Tue, 25 Jan 2022 12:06:59 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nCKZg-0006BM-Cw for xen-announce@lists.xen.org; Tue, 25 Jan 2022 12:05:24 +0000 Received: from mail.xenproject.org (mail.xenproject.org [104.130.215.37]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 0ed23ef4-7dd7-11ec-8fa7-f31e035a9116; Tue, 25 Jan 2022 13:05:16 +0100 (CET) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nCKZP-0004m4-8d; Tue, 25 Jan 2022 12:05:07 +0000 Received: from julieng by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1nCKZP-0003vf-6C; Tue, 25 Jan 2022 12:05:07 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: 0ed23ef4-7dd7-11ec-8fa7-f31e035a9116 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:CC:From:To:MIME-Version: Content-Transfer-Encoding:Content-Type; bh=XjImBY627dzjE6CAOBihcwCbC0zmFDELfKNBy+FyDb4=; b=INuodAE6zxiLlqwttASajLYK9T qBZwj+RmvDQIE/tzkDOJEKvi1R/iFoIcXUWmIN4bi35HLHu7BlUWjbdjTaapoi+Opmuymv+UxTEc9 IXQu5ZinWM4Y7JHzkreaT9HKzrwwQ7atGF7Qc319S3zri6tTG8WafDvr9Xti29KiikaU=; Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 395 v2 (CVE-2022-23035) - Insufficient cleanup of passed-through device IRQs Message-Id: Date: Tue, 25 Jan 2022 12:05:07 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-23035 / XSA-395 version 2 Insufficient cleanup of passed-through device IRQs UPDATES IN VERSION 2 ==================== Adjust patch subject. Public release. ISSUE DESCRIPTION ================= The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be retried. When multiple interrupts are involved, this scheduling of a retry may get erroneously skipped. At the same time pointers may get cleared (resulting in a de-reference of NULL) and freed (resulting in a use-after-free), while other code would continue to assume them to be valid. IMPACT ====== The precise impact is system specific, but would typically be a Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out. VULNERABLE SYSTEMS ================== Xen versions 4.6 and later are vulnerable. Xen versions 4.5 and earlier are not vulnerable. Only x86 HVM guests with one or more passed-through physical devices using (together) multiple physical interupts can leverage the vulnerability. x86 PV guests cannot leverage the vulnerability. x86 HVM guests without passed-through devices or with a passed-through device using just a single physical interrupt also cannot leverage the vulnerability. Device pass-through is unsupported for x86 PVH guests and all Arm guests. MITIGATION ========== There is no mitigation (other than not passing through to x86 HVM guests PCI devices with, overall, more than a single physical interrupt). CREDITS ======= This issue was discovered by Julien Grall of Amazon. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa395.patch xen-unstable - Xen 4.15.x xsa395-4.14.patch Xen 4.14.x - Xen 4.12.x $ sha256sum xsa395* f460be598b936bb5cfb9276787f2f21d90b029d1fe10dabd572ae50f84a1124d xsa395.meta 295b876c52cf5efe19150757275da3d154beb72ac2d7be267e16c9262e410de3 xsa395.patch 5697f3137e0a202744f31b1c6cbcfa459d8fa9b4b68be59561b78c40fe1233c5 xsa395-4.14.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmHv39QMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZhowIAIZYZq4efyEAP5rB3zX4yRel2GNz+2Dpjok4PExB uSOrPaH5dDILhNdVJNG48MckDe0dMDsn3OGr1I6lbxcV1TWR1JFrBQoxeUnwdiEf GjeTni0hhefan3IEEd5HUDInQgf9oI7fUcgEdVAoIV87BQdlK0ofjJ3TggSrr8jl pL5dmIh4OICD6YttR11Of1vhPY2WhZQb2xgSxzEQbDeY8k3JaRWy8mYwwxPD0HXn +hmLK59ZhkJd5Sk8AxttRUTEsl6nKESrUz3vv/vFInV5Go+35AElL//gQNgOOTAS nljLLtJdfHSuRy459Sw/lm4mwQ9zkfOFH6B+M6efSkHMyoE= =Iv+w -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa395.meta" Content-Disposition: attachment; filename="xsa395.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAzOTUsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xNiIsCiAgICAiNC4xNSIsCiAgICAiNC4xNCIs CiAgICAiNC4xMyIsCiAgICAiNC4xMiIKICBdLAogICJUcmVlcyI6IFsKICAg ICJ4ZW4iCiAgXSwKICAiUmVjaXBlcyI6IHsKICAgICI0LjEyIjogewogICAg ICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0 YWJsZVJlZiI6ICJiOWFhMTYzNWIzOGE3YmMwOTJkNjAxMjNiODdjNTQ1ZjI1 ZGIzMWU0IiwKICAgICAgICAgICJQcmVyZXFzIjogWwogICAgICAgICAgICAz OTMsCiAgICAgICAgICAgIDM5NAogICAgICAgICAgXSwKICAgICAgICAgICJQ YXRjaGVzIjogWwogICAgICAgICAgICAieHNhMzk1LTQuMTQucGF0Y2giCiAg ICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAgIjQuMTMi OiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAg ICAgICAiU3RhYmxlUmVmIjogImQwZTJjMjc2MmI5ODFhYmQ5ODRhZjY2YTg0 NGFjMTJkOGJmOGY4MTMiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAg ICAgICAgIDM5MywKICAgICAgICAgICAgMzk0CiAgICAgICAgICBdLAogICAg ICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2EzOTUtNC4xNC5w YXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAg ICAiNC4xNCI6IHsKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6 IHsKICAgICAgICAgICJTdGFibGVSZWYiOiAiY2JhZGY2N2JjYWI0ZTI5Yzg4 MzQxMGRiMzkzZjRmNWVmMzRkZjA0YSIsCiAgICAgICAgICAiUHJlcmVxcyI6 IFsKICAgICAgICAgICAgMzkzLAogICAgICAgICAgICAzOTQKICAgICAgICAg IF0sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTM5 NS00LjE0LnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQog ICAgfSwKICAgICI0LjE1IjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAg ICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6ICJhYmEyMmM2N2Vm ZTQ0MDRhMmE4NGUzNzhiZmQ5OGRlZjVlYzhlNjQ3IiwKICAgICAgICAgICJQ cmVyZXFzIjogWwogICAgICAgICAgICAzOTMsCiAgICAgICAgICAgIDM5NAog ICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAg ICAieHNhMzk1LnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAg fQogICAgfSwKICAgICI0LjE2IjogewogICAgICAiUmVjaXBlcyI6IHsKICAg ICAgICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6ICJkMGQwYWY2 N2VlZGU1NjBmYWFiNThmMTYxZDk2MDhhNjljNzc5ZDQxIiwKICAgICAgICAg ICJQcmVyZXFzIjogWwogICAgICAgICAgICAzOTMsCiAgICAgICAgICAgIDM5 NAogICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAg ICAgICAieHNhMzk1LnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAg ICAgfQogICAgfSwKICAgICJtYXN0ZXIiOiB7CiAgICAgICJSZWNpcGVzIjog ewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjogIjMx ZjNiYzk3ZjQ1MDg2ODcyMTVlNDU5YTVlMzU2NzZlZWNmMTc3MmIiLAogICAg ICAgICAgIlByZXJlcXMiOiBbCiAgICAgICAgICAgIDM5MywKICAgICAgICAg ICAgMzk0CiAgICAgICAgICBdLAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAg ICAgICAgICAgICJ4c2EzOTUucGF0Y2giCiAgICAgICAgICBdCiAgICAgICAg fQogICAgICB9CiAgICB9CiAgfQp9 --=separator Content-Type: application/octet-stream; name="xsa395.patch" Content-Disposition: attachment; filename="xsa395.patch" Content-Transfer-Encoding: base64 RnJvbSA0Y2M5MjRjM2UzYTBkNTMzMDZkMDhiMDQ3MjBjNDI3ZDFjMjk4YmE4 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKdWxpZW4gR3JhbGwg PGpncmFsbEBhbWF6b24uY29tPgpEYXRlOiBXZWQsIDUgSmFuIDIwMjIgMTg6 MDk6MjAgKzAwMDAKU3ViamVjdDogW1BBVENIXSBwYXNzdGhyb3VnaC94ODY6 IHN0b3AgcGlycSBpdGVyYXRpb24gaW1tZWRpYXRlbHkgaW4gY2FzZSBvZgog ZXJyb3IKCnB0X3BpcnFfaXRlcmF0ZSgpIHdpbGwgaXRlcmF0ZSBpbiBiYXRj aCBvdmVyIGFsbCB0aGUgUElSUXMuIFRoZSBvdXRlcgpsb29wIHdpbGwgYmFp bCBvdXQgaWYgJ3JjJyBpcyBub24temVybyBidXQgdGhlIGlubmVyIGxvb3Ag d2lsbCBjb250aW51ZS4KClRoaXMgbWVhbnMgJ3JjJyB3aWxsIGdldCBjbG9i YmVyZWQgYW5kIHdlIG1heSBtaXNzIGFueSBlcnJvcnMgKHN1Y2ggYXMKLUVS RVNUQVJUIGluIHRoZSBjYXNlIG9mIHRoZSBjYWxsYmFjayBwY2lfY2xlYW5f ZHBjaV9pcnEoKSkuCgpUaGlzIGlzIENWRS0yMDIyLTIzMDM1IC8gWFNBLTM5 NS4KCkZpeGVzOiBjMjQ1MzZiNjM2ZjIgKCJyZXBsYWNlIGQtPm5yX3BpcnFz IHNpemVkIGFycmF5cyB3aXRoIHJhZGl4IHRyZWUiKQpGaXhlczogZjZkZDI5 NTM4MWY0ICgiZHBjaTogcmVwbGFjZSB0YXNrbGV0IHdpdGggc29mdGlycSIp ClNpZ25lZC1vZmYtYnk6IEp1bGllbiBHcmFsbCA8amdyYWxsQGFtYXpvbi5j b20+ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNl LmNvbT4KUmV2aWV3ZWQtYnk6IFJvZ2VyIFBhdSBNb25uw6kgPHJvZ2VyLnBh dUBjaXRyaXguY29tPgotLS0KIHhlbi9kcml2ZXJzL3Bhc3N0aHJvdWdoL3g4 Ni9odm0uYyB8IDQgKysrKwogMSBmaWxlIGNoYW5nZWQsIDQgaW5zZXJ0aW9u cygrKQoKZGlmZiAtLWdpdCBhL3hlbi9kcml2ZXJzL3Bhc3N0aHJvdWdoL3g4 Ni9odm0uYyBiL3hlbi9kcml2ZXJzL3Bhc3N0aHJvdWdoL3g4Ni9odm0uYwpp bmRleCAzNTFkYWFmZGM5YmYuLjBiMzdjZDE0NWI2MCAxMDA2NDQKLS0tIGEv eGVuL2RyaXZlcnMvcGFzc3Rocm91Z2gveDg2L2h2bS5jCisrKyBiL3hlbi9k cml2ZXJzL3Bhc3N0aHJvdWdoL3g4Ni9odm0uYwpAQCAtNzMyLDcgKzczMiwx MSBAQCBpbnQgcHRfcGlycV9pdGVyYXRlKHN0cnVjdCBkb21haW4gKmQsCiAK ICAgICAgICAgICAgIHBpcnEgPSBwaXJxc1tpXS0+cGlycTsKICAgICAgICAg ICAgIGlmICggKHBpcnFfZHBjaS0+ZmxhZ3MgJiBIVk1fSVJRX0RQQ0lfTUFQ UEVEKSApCisgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgcmMgPSBj YihkLCBwaXJxX2RwY2ksIGFyZyk7CisgICAgICAgICAgICAgICAgaWYgKCBy YyApCisgICAgICAgICAgICAgICAgICAgIGJyZWFrOworICAgICAgICAgICAg fQogICAgICAgICB9CiAgICAgfSB3aGlsZSAoICFyYyAmJiArK3BpcnEgPCBk LT5ucl9waXJxcyAmJiBuID09IEFSUkFZX1NJWkUocGlycXMpICk7CiAKLS0g CjIuMzIuMAoK --=separator Content-Type: application/octet-stream; name="xsa395-4.14.patch" Content-Disposition: attachment; filename="xsa395-4.14.patch" Content-Transfer-Encoding: base64 RnJvbSA3NDMzNDhmNWQ1NDVjN2ZmZjljZGVhNzQ2ODQwYjc5NWY1YzI2ZDQz IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKdWxpZW4gR3JhbGwg PGpncmFsbEBhbWF6b24uY29tPgpEYXRlOiBXZWQsIDUgSmFuIDIwMjIgMTg6 MDk6MzkgKzAwMDAKU3ViamVjdDogW1BBVENIXSBwYXNzdGhyb3VnaC94ODY6 IHN0b3AgcGlycSBpdGVyYXRpb24gaW1tZWRpYXRlbHkgaW4gY2FzZSBvZgog ZXJyb3IKCnB0X3BpcnFfaXRlcmF0ZSgpIHdpbGwgaXRlcmF0ZSBpbiBiYXRj aCBvdmVyIGFsbCB0aGUgUElSUXMuIFRoZSBvdXRlcgpsb29wIHdpbGwgYmFp bCBvdXQgaWYgJ3JjJyBpcyBub24temVybyBidXQgdGhlIGlubmVyIGxvb3Ag d2lsbCBjb250aW51ZS4KClRoaXMgbWVhbnMgJ3JjJyB3aWxsIGdldCBjbG9i YmVyZWQgYW5kIHdlIG1heSBtaXNzIGFueSBlcnJvcnMgKHN1Y2ggYXMKLUVS RVNUQVJUIGluIHRoZSBjYXNlIG9mIHRoZSBjYWxsYmFjayBwY2lfY2xlYW5f ZHBjaV9pcnEoKSkuCgpUaGlzIGlzIENWRS0yMDIyLTIzMDM1IC8gWFNBLTM5 NS4KCkZpeGVzOiBjMjQ1MzZiNjM2ZjIgKCJyZXBsYWNlIGQtPm5yX3BpcnFz IHNpemVkIGFycmF5cyB3aXRoIHJhZGl4IHRyZWUiKQpGaXhlczogZjZkZDI5 NTM4MWY0ICgiZHBjaTogcmVwbGFjZSB0YXNrbGV0IHdpdGggc29mdGlycSIp ClNpZ25lZC1vZmYtYnk6IEp1bGllbiBHcmFsbCA8amdyYWxsQGFtYXpvbi5j b20+ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNl LmNvbT4KUmV2aWV3ZWQtYnk6IFJvZ2VyIFBhdSBNb25uw6kgPHJvZ2VyLnBh dUBjaXRyaXguY29tPgotLS0KIHhlbi9kcml2ZXJzL3Bhc3N0aHJvdWdoL2lv LmMgfCA0ICsrKysKIDEgZmlsZSBjaGFuZ2VkLCA0IGluc2VydGlvbnMoKykK CmRpZmYgLS1naXQgYS94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC9pby5jIGIv eGVuL2RyaXZlcnMvcGFzc3Rocm91Z2gvaW8uYwppbmRleCA3MWVhZjJjMTdl MjcuLmI2ZTg4ZWJjODY0NiAxMDA2NDQKLS0tIGEveGVuL2RyaXZlcnMvcGFz c3Rocm91Z2gvaW8uYworKysgYi94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC9p by5jCkBAIC04MTAsNyArODEwLDExIEBAIGludCBwdF9waXJxX2l0ZXJhdGUo c3RydWN0IGRvbWFpbiAqZCwKIAogICAgICAgICAgICAgcGlycSA9IHBpcnFz W2ldLT5waXJxOwogICAgICAgICAgICAgaWYgKCAocGlycV9kcGNpLT5mbGFn cyAmIEhWTV9JUlFfRFBDSV9NQVBQRUQpICkKKyAgICAgICAgICAgIHsKICAg ICAgICAgICAgICAgICByYyA9IGNiKGQsIHBpcnFfZHBjaSwgYXJnKTsKKyAg ICAgICAgICAgICAgICBpZiAoIHJjICkKKyAgICAgICAgICAgICAgICAgICAg YnJlYWs7CisgICAgICAgICAgICB9CiAgICAgICAgIH0KICAgICB9IHdoaWxl ICggIXJjICYmICsrcGlycSA8IGQtPm5yX3BpcnFzICYmIG4gPT0gQVJSQVlf U0laRShwaXJxcykgKTsKIAotLSAKMi4zMi4wCgo= --=separator--