[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] Xen Security Advisory 240 - Unlimited recursion in linear pagetable de-typing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-240 version 3 Unlimited recursion in linear pagetable de-typing UPDATES IN VERSION 3 ==================== Re-base unstable patch to avoid it applying only with fuzz. Public release. ISSUE DESCRIPTION ================= x86 PV guests are permitted to set up certain forms of what is often called "linear page tables", where pagetables contain references to other pagetables at the same level or higher. Certain restrictions apply in order to fit into Xen's page type handling system. An important restriction was missed, however: Stacking multiple layers of page tables of the same level on top of one another is not very useful, and the tearing down of such an arrangement involves recursion. With sufficiently many layers such recursion will result in a stack overflow, commonly resulting in Xen to crash. IMPACT ====== A malicious or buggy PV guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be excluded. VULNERABLE SYSTEMS ================== All Xen versions from at least 3.2 onwards are vulnerable. Earlier versions have not been checked. Only x86 systems are affected. ARM systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM guests cannot leverage the vulnerability. MITIGATION ========== Running only HVM guests will avoid this vulnerability. For PV guests, the vulnerability can be avoided if the guest kernel is controlled by the host rather than guest administrator, provided that further steps are taken to prevent the guest administrator from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by Jann Horn of Google Project Zero. RESOLUTION ========== Applying the appropriate attached patch series resolves this issue. The first patch fixes this known issue. The second patch in each series disables the `linear pagetable` option by default. It can be re-enabled by adding "pv-linear-pt=true' on the Xen command-line. Note that neither Linux nor MiniOS use linear pagetables; NetBSD and Novell Netware, however, do use this feature when running in PV mode. xsa240-unstable/*.patch xen-unstable xsa240-4.9/*.patch Xen 4.9.x xsa240-4.8/*.patch Xen 4.8.x xsa240-4.7/*.patch Xen 4.7.x xsa240-4.6/*.patch Xen 4.6.x xsa240-4.5/*.patch Xen 4.5.x $ sha256sum xsa240* xsa240*/* 6ad3f6c7817496d11d846ac551d8b37fc73daf488eaa1cda614eb3b5a34f858d xsa240.meta e227126ea204d6049c8bfb694e3d2bcac10382733ca4ece1f0f7dc36c625ac1d xsa240-unstable/0001-x86-limit-linear-page-table-use-to-a-single-level.patch c6bb1f47754bf4f57bb9205509c525336ff55da8bcae8ae95415bdf1bba70209 xsa240-unstable/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch 2e8168449f8594c5faa50feb311eaa7e74b38c726853b1cfbaf2fbd4cbbdb476 xsa240-4.5/0001-x86-limit-linear-page-table-use-to-a-single-level.patch ea95ed56a5f85753a41ca1abbb4abd5ea791d7596c8a9d20ceaa53862ee5ce15 xsa240-4.5/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch f7556cc4a13cd4334d79e73861f15dd619dfd6041a3ad89865b358035d2fcff8 xsa240-4.6/0001-x86-limit-linear-page-table-use-to-a-single-level.patch 24ad9f92938c112a6fcf46177d44597c49dc213a3644ce4fd59d4df507b072d3 xsa240-4.6/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch 5a9b8e0a4e55482826e6cf820ea01fbf6674fecf19b101f4578396e3fa98a8fd xsa240-4.7/0001-x86-limit-linear-page-table-use-to-a-single-level.patch acf9744b853c1c6ac071bcf5776d8d9463781bbdf658c2fecc59ee338c094750 xsa240-4.7/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch c0c624f51fb1bd9e31a2c120343164d545ab6e709ed4bb9e5dd89b5c4c4e49f8 xsa240-4.8/0001-x86-limit-linear-page-table-use-to-a-single-level.patch 7e3c2c4a4d0ee0a29abaa7aceffbb774b1f92aa81dfa4c5d1c5c5156b6bb0a3a xsa240-4.8/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch 7769866805e47b7a2109ba1778f263ddfa126bcb0b116612f76dfaca9bf70995 xsa240-4.9/0001-x86-limit-linear-page-table-use-to-a-single-level.patch 1053cb348dc8536cb12b4aca556ddc4c015810f8f0fd21a80dff37433ec082ea xsa240-4.9/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJZ31v9AAoJEIP+FMlX6CvZl68H/1aUvsdHsmJ00m6xF5EDDe6e FwInBpu0p6NOr0Shy6MUPYLf8iWSR7UK92HVNC3FDidkGwP9n6qRLYQQJWtNGGPt c+7/uqM9vj9J10BwUrseZQoNXWQ3AZSOc9yCHgzxPMCne5JAkD/cZda6ABwpTq8d 5X8QsgaXbKjfj988izYnqP9049os8VKoN6AR1TUt4keSheSElYO+T416Ky3b+c2V WhxGPWGZY0fFaAYLKfpTWIDU9G6ZIJ9ZMN7yXjAR+hN1pezb7afDT/sT39bjp9wy pPcOxMmvAn7F2w2WcCNJ8TKmNL9VPl9TjlnY8LrHhxqpwWmMeFZoc3q8czXfjBA= =rL4e -----END PGP SIGNATURE----- Attachment:
xsa240.meta Attachment:
xsa240-unstable/0001-x86-limit-linear-page-table-use-to-a-single-level.patch Attachment:
xsa240-unstable/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch Attachment:
xsa240-4.5/0001-x86-limit-linear-page-table-use-to-a-single-level.patch Attachment:
xsa240-4.5/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch Attachment:
xsa240-4.6/0001-x86-limit-linear-page-table-use-to-a-single-level.patch Attachment:
xsa240-4.6/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch Attachment:
xsa240-4.7/0001-x86-limit-linear-page-table-use-to-a-single-level.patch Attachment:
xsa240-4.7/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch Attachment:
xsa240-4.8/0001-x86-limit-linear-page-table-use-to-a-single-level.patch Attachment:
xsa240-4.8/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch Attachment:
xsa240-4.9/0001-x86-limit-linear-page-table-use-to-a-single-level.patch Attachment:
xsa240-4.9/0002-x86-mm-Disable-PV-linear-pagetables-by-default.patch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |