[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Xen Security Advisory 328 v3 (CVE-2020-15567) - non-atomic modification of live EPT PTE



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-15567 / XSA-328
                               version 3

                non-atomic modification of live EPT PTE

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When mapping guest EPT (nested paging) tables, Xen would in some
circumstances use a series of non-atomic bitfield writes.

Depending on the compiler version and optimisation flags, Xen might
expose a dangerous partially-written PTE to the hardware, which an
attacker might be able to race to exploit.

IMPACT
======

A guest administrator or perhaps even unprivileged guest user might
be able to cause denial of service, data corruption, or privilege
escalation.

VULNERABLE SYSTEMS
==================

Only systems using Intel CPUs are vulnerable.  Sytems using AMD CPUs,
and Arm systems, are not vulnerable.

Only systems using nested paging ("hap", aka nested paging, aka in
this case Intel EPT) are vulnerable.

Only HVM and PVH guests can exploit the vulnerability.

The presence and scope of the vulnerability depends on the precise
optimisations performed by the compiler used to build Xen.  If the
compiler generates (a) a single 64-bit write, or (b) a series of
read-modify-write operations which are in the same order as the source
code, the hypervisor is not vulnerable.

For example, in one test build with gcc 8.3 with normal settings, the
compiler generated multiple (unlocked) read-modify-write operations in
source code order, which did *not* constitute a vulnerability.

We have not been able to survey compilers; consequently we cannot say
which compiler(s) might produce vulnerable code (with which code
generation options).  The code clearly violates the C rules.  So we
have chosen to issue this advisory.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

Switching to shadow paging (e.g. using the "hap=0" xl domain domain
configuration file parameter) will avoid exposing the vulnerability to
those guests.

Manual inspection of the generated assembly code might allow a
suitably qualified person to say that a particular build is not
vulnerable.

There is no less broad mitigation.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

For patch 1:
Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>

For patch 2:
From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
Reported-by: Jan Beulich <jbeulich@xxxxxxxx>
Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>

RESOLUTION
==========

Applying the appropriate pair of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa328/xsa328-?.patch        xen-unstable
xsa328/xsa328-4.13-?.patch   Xen 4.13.x
xsa328/xsa328-4.12-?.patch   Xen 4.12.x
xsa328/xsa328-4.11-?.patch   Xen 4.11.x, Xen 4.10.x
xsa328/xsa328-4.9-?.patch    Xen 4.9.x

$ sha256sum xsa328* xsa328*/*
61ceb3d039c3ebb06f480a17593b367b01e7c1e5cc3669d77caecb704fbc7071  xsa328.meta
cae53f7e6c46fe245790036279bc50eaa10e4271790e871ad8a7d446629b2e12  
xsa328/xsa328-1.patch
d61354a992869451cd7a3c92254672b5e253d1a994135cf9b4a5c784be0a07ef  
xsa328/xsa328-2.patch
018412fba6f153c1d6b03fc2fa6f3ac381060efe6a8651404462028d24c830a8  
xsa328/xsa328-4.9-1.patch
f3deb26e0ce27c385ab16065a0ba67b86a228afd949c0a6a78b9d48366fc2554  
xsa328/xsa328-4.9-2.patch
a600ecef784485e8608cd4549f756ffa24705747a4d876147f9ba64fff118580  
xsa328/xsa328-4.11-1.patch
f3deb26e0ce27c385ab16065a0ba67b86a228afd949c0a6a78b9d48366fc2554  
xsa328/xsa328-4.11-2.patch
d608921359e561f9c594c9f8f7ee02432518a229ecea638d472ab91227d705ec  
xsa328/xsa328-4.12-1.patch
a51162c019e7e6ed394faa7d40c932456059b7b76a784dc7886dd0a47c43da0b  
xsa328/xsa328-4.12-2.patch
51a41fae885aed40839887da473e0c8ab4c4d897a121f5fac2cc3c6c0188d6d2  
xsa328/xsa328-4.13-1.patch
a51162c019e7e6ed394faa7d40c932456059b7b76a784dc7886dd0a47c43da0b  
xsa328/xsa328-4.13-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl8EaAIMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZi0YH/Aqd/aStpQKD3gTEuif3YBwL9YRf9q8ZxSQqgrG/
du4lABcOE87kRqaAnsVRNe3sQ1sL995O1oiRbcQPcnKqr5q34IPqMghYGJZgpupE
qfreaA6b4Uv7XFEM8Z7NTN17t9dx9Y8aLIoD8dETbFaidtKwjBsQ8fkX7tFSmXH9
YQ0he7B8Is0pGmH6EM5mM6TxqCHz2mtWDdVL4jFuLVqrt10TnNH6S4OHJkEkJcYP
rcSgqOkM7q7tBP3yDWPvlcSGgk+cijEI3AmKREMuISEmimrBpGzrosBpdh8zqbYU
MPmRwbn+luyEEOn2Y8j81EfgJR+LR1Itct1E8CU0vS2v0Gw=
=b0L/
-----END PGP SIGNATURE-----

Attachment: xsa328.meta
Description: Binary data

Attachment: xsa328/xsa328-1.patch
Description: Binary data

Attachment: xsa328/xsa328-2.patch
Description: Binary data

Attachment: xsa328/xsa328-4.9-1.patch
Description: Binary data

Attachment: xsa328/xsa328-4.9-2.patch
Description: Binary data

Attachment: xsa328/xsa328-4.11-1.patch
Description: Binary data

Attachment: xsa328/xsa328-4.11-2.patch
Description: Binary data

Attachment: xsa328/xsa328-4.12-1.patch
Description: Binary data

Attachment: xsa328/xsa328-4.12-2.patch
Description: Binary data

Attachment: xsa328/xsa328-4.13-1.patch
Description: Binary data

Attachment: xsa328/xsa328-4.13-2.patch
Description: Binary data


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.