[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] Xen Security Advisory 308 v3 (CVE-2019-19583) - VMX: VMentry failure with debug exceptions and blocked states
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2019-19583 / XSA-308 version 3 VMX: VMentry failure with debug exceptions and blocked states UPDATES IN VERSION 3 ==================== Public release. Updated metadata to add 4.13, update StableRef's ISSUE DESCRIPTION ================= Please see XSA-260 for background on the MovSS shadow: http://xenbits.xen.org/xsa/advisory-260.html Please see XSA-156 for background on the need for #DB interception: http://xenbits.xen.org/xsa/advisory-156.html The VMX VMEntry checks does not like the exact combination of state which occurs when #DB in intercepted, Single Stepping is active, and blocked by STI/MovSS is active, despite this being a legitimate state to be in. The resulting VMEntry failure is fatal to the guest. IMPACT ====== HVM/PVH guest userspace code may be able to crash the guest, resulting in a guest Denial of Service. VULNERABLE SYSTEMS ================== All versions of Xen are affected. Only systems supporting VMX hardware virtual extensions (Intel, Cyrix or Zhaoxin CPUs) are affected. Arm and AMD systems are unaffected. Only HVM/PVH guests are affected. PV guests cannot leverage the vulnerability. MITIGATION ========== Running only PV guests will avoid this vulnerability. Running HVM guests on only AMD hardware will also avoid this vulnerability. CREDITS ======= This issue was discovered by Håkon Alstadheim and diagnosed as a security issue by Andrew Cooper of Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa308.patch xen-unstable, Xen 4.13.x .. Xen 4.8.x $ sha256sum xsa308* 4aa06d21478d9debb12388ff14d8abc31982e18895db40d0cec78fcc9fe68ef2 xsa308.meta 7e782b09b16f7534c8db52042f7bb3bd730d108571c8b10af184ae0b02fdae9d xsa308.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl3w3FsMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZWHwIAIfuiZE/IyxMwTAkZL3EugBnlxxHodoBuj6imn+n c9DvMk3TCi3vSgvZQtVpP0eNuuLN5285hVyI95lRE0LTmtRLc7jATktStRTgGkua znW8U1sqkVRWJcVuN4uAM2zIY60pMZnFjZxdJW12+wpcA13LInE1cDWnlRv+cdD9 7DtVkGUWXjfbcm3KXGZw8YpKvTgVp983VpywR/1lzXZ+MexWzKuEco8fZFayw0ne 3nT/23Y1ofjCflNFjc7HoeJZl+zy493J/rqHS8yYI3d4vTdIfjue3rZ/X6305el9 zjCG5zXygrWVAoKGWVnPZweX1jw8rd6BlsPTqQb53UH94zc= =yTxW -----END PGP SIGNATURE----- Attachment:
xsa308.meta Attachment:
xsa308.patch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |