ESB-2019.0694 - [Virtual] Xen: Multiple vulnerabilties - 2019-03-06


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0694
             Xen multiple vulerabilities on x86 based systems.
                               6 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Xen
Operating System:  Xen
Platform:          x86
Impact/Access:     Increased Privileges     -- Existing Account
                   Denial of Service        -- Existing Account
                   Access Confidential Data -- Existing Account
                   Unauthorised Access      -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://xenbits.xen.org/xsa/advisory-287.html
   http://xenbits.xen.org/xsa/advisory-288.html
   http://xenbits.xen.org/xsa/advisory-291.html
   http://xenbits.xen.org/xsa/advisory-292.html
   http://xenbits.xen.org/xsa/advisory-293.html
   http://xenbits.xen.org/xsa/advisory-294.html

Comment: This bulletin contains six (6) Xen security advisories.
         
         Only x86 systems are vulnerable.  ARM systems are not vulnerable.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-287
                              version 2

         x86: steal_page violates page_struct access discipline

UPDATES IN VERSION 2
====================

Metadata updated to remove dependency on XSA-283.

Public release.

ISSUE DESCRIPTION
=================

Xen's reference counting rules were designed to allow pages to change
owner and state without requiring a global lock.  Each page has a page
structure, and a very specific set of access disciplines must be
observed to ensure that pages are freed properly, and that no writable
mappings exist for PV pagetable pages.

Unfortunately, when the XENMEM_exchange hypercall was introduced,
these access disciplines were violated, opening up several potential
race conditions.

IMPACT
======

A single PV guest can leak arbitrary amounts of memory, leading to a
denial of service.

A cooperating pair of PV and HVM/PVH guests can get a writable
pagetable entry, leading to information disclosure or privilege
escalation.

Privilege escalation attacks using only a single PV guest or a pair of
PV guests have not been ruled out.

Note that both of these attacks require very precise timing, which may
be difficult to exploit in practice.

VULNERABLE SYSTEMS
==================

Only x86 systems are vulnerable.

Only systems which run PV guests are vulnerable.  Systems which run
only HVM/PVH guests are not vulnerable.

MITIGATION
==========

Running only HVM or PVH guests will avoid these vulnerabilities.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa287.patch           xen-unstable
xsa287-4.11.patch      Xen 4.11.x
xsa287-4.10.patch      Xen 4.10.x
xsa287-4.9.patch       Xen 4.9.x
xsa287-4.8.patch       Xen 4.8.x
xsa287-4.7.patch       Xen 4.7.x

$ sha256sum xsa287*
ae2b9261e26df871693478629c63970ba30817ee1dcb2266b89d8b067833c1b3  xsa287.meta
7de1b886d69dd7c497f88d41adf9a6f7cf9a305fd8ae9d714e1125e2a22208ab  xsa287.patch
55f40f2f9bb41c85ac80dac775352e28b25fada80dae574e9d10300d5e2b91ce  xsa287-4.7.patch
57312ff131eb6b51235723e862adf42ad3529ed13135375875c054fa0b55f80b  xsa287-4.8.patch
34f4b835766a38bcf4066ccbab74676eda176e15ed2a6bd7884678a64507f89a  xsa287-4.9.patch
c7eaf8a325011dda84b02ee097ddbc7b5f2f4d3399de545a3a7b14e2d23f4278  xsa287-4.10.patch
6793315f714a249a4fad12b36559640b2f97f19f5b85f0d58694c6e78aa3d567  xsa287-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlx+aa0MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ4ZMH/2inEgYog1U9+y+3hMQSMYx69bjZ6/0uHn4FnqPm
39Z/FUTjVjCz3GF2zHjsA1YpKCQJ6WLZhtADyed6NyXd8ux64+henAwiStVhSdvC
4HgxQIIenqM/ixJSYWHv6iEJKAAbCcN0Q4OW4/CH2Pax+pm58axor1zOGisLhopN
pNJRlQ6uTFSLvTd7N2UGg/q0HADChtIOM/iZi3jMiQ1JJvWG2EjWHQdSpW5kxkV3
LYzaMa7tfeQ2EkCkji5xS/nWkET817b/obTWl3YlTAbPoDsTNMHhjwtsWmqLw4/r
eg7+HGB2tAPrG0pqE9DPH99OMeDnLE2A917nXmNF6S8EgKU=
=/95T
- -----END PGP SIGNATURE-----

=================================================================================
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-288
                              version 2

                 x86: Inconsistent PV IOMMU discipline

UPDATES IN VERSION 2
====================

Metadata updated to remove dependency on XSA-283.

4.7 backport updated to fix a debug build failure.

Public release.

ISSUE DESCRIPTION
=================

In order for a PV domain to set up DMA from a passed-through device to
one of its pages, the page must be mapped in the IOMMU.  On the other
hand, before a PV page may be used as a "special" page type (such as a
pagetable or descriptor table), it _must not_ be writable in the IOMMU
(otherwise a malicious guest could DMA arbitrary page tables into the
memory, bypassing Xen's safety checks); and Xen's current rule is to
have such pages not in the IOMMU at all.

Until now, in order to accomplish this, the code has borrowed HVM
domain's "physmap" concept: When a page is assigned to a guest,
guess_physmap_add_entry() is called, which for PV guests, will create
a writable IOMMU mapping; and when a page is removed,
guest_physmap_remove_entry() is called, which will remove the mapping.

Additionally, when a page gains the PGT_writable page type, the page
will be added into the IOMMU; and when the page changes away from a
PGT_writable type, the page will be removed from the IOMMU.

Unfortunately, borrowing the "physmap" concept from HVM domains is
problematic.  HVM domains have a lock on their p2m tables, ensuring
synchronization between modifications to the p2m; and all hypercall
parameters must first be translated through the p2m before being used.
Trying to mix this locked-and-gated approach with PV's lock-free
approach leads to several races and inconsistencies.

IMPACT
======

An untrusted PV domain with access to a physical device can DMA into
its own pagetables, leading to privilege escalation.

VULNERABLE SYSTEMS
==================

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only systems where PV guests are given direct access to physical
devices (PCI pass-through) are vulnerable.  Systems with only HVM
guests, or systems which do not use PCI pass-through, are not
vulnerable.

MITIGATION
==========

Only assigning devices to HVM guests will avoid these vulnerabilities.

CREDITS
=======

This issue was discovered by Paul Durrant of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa288.patch           xen-unstable
xsa288-4.11.patch      Xen 4.11.x, Xen 4.10.x
xsa288-4.9.patch       Xen 4.9.x
xsa288-4.8.patch       Xen 4.8.x
xsa288-4.7.patch       Xen 4.7.x

$ sha256sum xsa288*
7254f0ce791b5543aec68643ec47e2bcf7823650949c7eb32db5122591f12e8c  xsa288.meta
e1159cb5c1c5a01b28753739b6a78b555ebe4b920cae766db47e0f2a1a21c188  xsa288.patch
e9986ceda84e7391c27d80fd541a0e5edf1eadef302a560b4e445ca9bad4c56e  xsa288-4.7.patch
14856543ccaa5b3db2a209d25637ed025f2eb940294d0cd07e03f56630a9e5af  xsa288-4.8.patch
df5e4a367f58491d54c778e2997142792c881d4f7b5a2a1d3339d2a3f1abafe5  xsa288-4.9.patch
58ba46b4814695dc34beaa5fb644931253bd0b0c6a8dc843c735beec152ae722  xsa288-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlx+aa4MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZZcYIAKeJomA0DWjp8LewxvGSUugZ34CCoS2OaOVSBw0g
r5gGZ1B3WF8JHcpoV3JdPsiv0O61Ye2XX/PhAfe577PW5357vnNHqE9GbOVwxXNZ
pNsSJ5r7OG1OEQdGUetB9McqkDhX/kpg4tnAokeU7FKjwfMTqjGYmacjAWlAqGqp
mZF83H2NLiXtroq7sWcTopO32O/dvUmd0+29mcTihS+XzdeTBfNuz4XiYF9YqA04
QN0NcqHACjM7C1OGAgXW9PXUPJzm5PuMCAR56qLxaN1V+JEC+hwkPliDpZUU2xrx
I6mc0FkoKfIRvD8sVLB+z0rkjpnOPjVhH6okIBBcHya71fg=
=JG+V
- -----END PGP SIGNATURE-----

=================================================================================

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-291
                              version 2

  x86/PV: page type reference counting issue with failed IOMMU update

UPDATES IN VERSION 2
====================

Metadata updated to remove dependency on XSA-283.

Public release.

ISSUE DESCRIPTION
=================

When an x86 PV domain has a passed-through PCI device assigned, IOMMU
mappings may need to be updated when the type of a particular page
changes.  Such an IOMMU operation may fail.  In the event of failure,
while at present the affected guest would be forcibly crashed, the
already recorded additional type reference was not dropped again.  This
causes a bug check to trigger while cleaning up after the crashed
guest.

IMPACT
======

Malicious or buggy x86 PV guest kernels can mount a Denial of Service
(DoS) attack affecting the whole system.

VULNERABLE SYSTEMS
==================

Xen versions from 4.8 onwards are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only x86 PV guests can exploit the vulnerability.  x86 HVM and PVH
guests cannot exploit the vulnerability.

Only guests which are assigned a physical device can exploit this
vulnerability.  Guests which are not assigned physical devices cannot
exploit this vulnerability.

MITIGATION
==========

Running only HVM or PVH guests avoids the vulnerability.

Not passing through PCI devices to PV guests also avoids the
vulnerability.

CREDITS
=======

This issue was discovered by Igor Druzhinin and Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa291.patch           xen-unstable
xsa291-4.11.patch      Xen 4.11.x, Xen 4.10.x
xsa291-4.9.patch       Xen 4.9.x, Xen 4.8.x

$ sha256sum xsa291*
01883c11ae45a5771644270445e463538a61d98c66adbba852de74ccd272eae9  xsa291.meta
fb5f2a75ba113f21e9cb2dfbc22520495c69a4fef631c030a4834c680045e587  xsa291.patch
299bb4913e7ddb46ce90f415f91ee5e5480050631281c87e1a764b66fb116d89  xsa291-4.9.patch
16087ba5c59b9644f4f61c0c7fa124d9e04e88089b235aaae91daa04cdf1b8a1  xsa291-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlx+aa4MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ7uEH+gKbe8qOoIa8/xDC1rOH5H+BNvjCSfuov4EUPsJ1
3DUPNSa3jCHTlX89+BwI+uOis3vHuQYBw/k9QYfx6nG617bu3/dUYiWlnE/DpPzm
zur3McHNigWCXOYsrNlgnOncXixJIRcIlMJNudejzaFwnW9PDA8ZZ5r3UiTLY0fT
wySjAL0cpMztmU7PfYAPib97JAM/+GHGiwjjumaaIvF3WnIADJ26HpmtiKELMwOh
7o53kTUPFutLq4McsbcrxLRhwSOsBfhPN1mb4Y0QFUP7yStFpNOmzppu8mLuewhE
+PqJ0OQqqCx8hz/3TEDO59JUlH7Iwo4B3Eykhb5BqoSQHrY=
=iq8p
- -----END PGP SIGNATURE-----

=================================================================================

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-292
                              version 2

            x86: insufficient TLB flushing when using PCID

UPDATES IN VERSION 2
====================

Metadata updated to remove dependency on XSA-283.

Public release.

ISSUE DESCRIPTION
=================

Use of Process Context Identifiers (PCID) was introduced into Xen in
order to improve performance after XSA-254 (and in particular its
Meltdown sub-issue).  This enablement implied changes to the TLB
flushing logic.  The particular case of context switch to a vCPU of a
PCID-enabled guest left open a time window between the full TLB flush,
and the actual address space switch, during which additional TLB
entries (from the address space about to be switched away from) can be
accumulated, which will not subsequently be purged.

IMPACT
======

Malicious PV guests may be able to cause a host crash (Denial of
Service) or to gain access to data pertaining to other guests.
Privilege escalation opportunities cannot be ruled out.

Additionally, vulnerable configurations are likely to be unstable even
in the absence of an attack.

VULNERABLE SYSTEMS
==================

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only systems running x86 PV guests are vulnerable.  Systems running
only x86 HVM or PVH guests are not vulnerable.

Only systems with at least one PCID-enabled PV guest are vulnerable.

Systems where PCID or INVPCID are unavailable or entirely disabled are
not vulnerable.

Note that PCID is enabled by default for both 64-bit dom0 and 64-bit
domU when hardware supports it.  PCID acceleration has been backported
to the following versions:
 - Xen 4.11.x,
 - Xen 4.10.2 and onwards,
 - Xen 4.9.3 and onwards,
 - Xen 4.8.4 and onwards,
 - Xen 4.7.6.

To exploit this vulnerability, problematic TLB entries must be created
between the full TLB flush and the address space switch.  The NMI
watchdog handler (enabled via the "watchdog" command line option) is
known to create such entries; other vectors cannot be ruled out.

MITIGATION
==========

Running only HVM or PVH guests will avoid this vulnerability.

Running only 32-bit PV guests alongside the other two types mentioned
above will also avoid this vulnerability, provided Dom0 is also 32-bit
or is not using PCID.  Making a 64-bit Dom0 not use PCID can be achieved
by e.g. "xpti=no-dom0 pcid=xpti".

Disabling use of PCID entirely, by passing "pcid=0" or "invpcid=0" as a
command line option to the hypervisor, will also avoid this
vulnerability (albeit re-introducing the XPTI performance regression
use of PCID was intended to reduce).

Disabling the watchdog timer will remove the only known way of reliably
creating problematic TLB entries, potentially reducing the risk of a
successful attack.

CREDITS
=======

This issue was discovered by Sergey Dyasli and Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa292.patch           xen-unstable, Xen 4.11.x ... Xen 4.7.6

$ sha256sum xsa292*
c515e98e5ae8a16bc5c894741eea5523a7e568f81ee8a570626dcc0f58f40b40  xsa292.meta
f42cb5e1eae5a5c6f0fd84e38df4db9f09a4e1176905c37f292fef9855c82fea  xsa292.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlx+aa4MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZOd8IAIlWY8Vz3rd9uo4ehIoIIGiQYowxl96NslzZEtEx
LQhpHALXyd8uWJbPwunbOgwEc2ur8Z3xfk6gnKP39SWL9fv4n+0RhQ5TltCFKRc2
97jVk9F0Lmw9VceqI9icrMjkVBk+J6OcAytMLzwT9sX6wJfpD+KjlVXKosLWvmT+
LiGOYa8gQlGQe5s8V1VVVkXOBuz7Jgel4/aRi0bIovBNffagNXt2zXIRgpnNmhFG
g3vMI0Y6WM2VkfOkZkYkcxdW/6vVBeIcmfKhZHyFv6wBo0mWYBz+mvIVFFs6BrFf
IqowWWFAr7NwGFcfs4iKETWbACCCYrpDFX1c9Z7O+SjXCV0=
=mVRN
- -----END PGP SIGNATURE-----

=================================================================================

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-293
                              version 3

                x86: PV kernel context switch corruption

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

On hardware supporting the fsgsbase feature, 64bit PV guests can set and
clear the applicable control bit in its virtualised %cr4, but the
feature remains fully active in hardware.  Therefore, the associated
instructions are actually usable.

Linux, which does not currently support this feature, has various
optimisations in its context switch path which justifiably assume that
userspace can't actually make changes without a system call.

Xen's behaviour of having this feature active behind the guest kernel's
back undermines the correctness of any context switch logic which
depends on the feature being disabled.

Userspace can therefore corrupt fsbase or gsbase (commonly used for
Thread Local Storage) in the next thread to be scheduled on the
current vcpu.

IMPACT
======

A malicious unprivileged guest userspace process can escalate its
privilege to that of other userspace processes in the same guest, and
potentially thereby to that of the guest operating system.

Additionally, some guest software which attempts to use this CPU
feature may trigger the bug accidentally, leading to crashes or
corruption of other processes in the same guest.

VULNERABLE SYSTEMS
==================

Xen versions 4.1 and later are vulnerable.  Xen 4.0 and earlier are not
vulnerable.

Only x86 hardware with the fsgsbase feature is vulnerable.  This is
believed to be Intel IvyBridge and later hardware, and AMD Steamroller
and later hardware.

ARM hardware is not affected.

Only 64bit PV guests can exploit the vulnerability.  32bit PV guests,
and HVM/PVH guests cannot exploit the vulnerability.

Whether the bug is exploitable, and whether it will be triggered by
accident, depend in a complicated way on the guest operating system
and its configuration.  Most guests are vulnerable to malicious
userspace processes.

MITIGATION
==========

Running only 32bit PV or HVM/PVH guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Andy Lutomirski.

RESOLUTION
==========

Applying the appropriate attached patches resolves this issue.

xsa293/unstable-.patch         xen-unstable
xsa293/4.11-.patch             Xen 4.11.x
xsa293/4.10-.patch             Xen 4.10.x
xsa293/4.9-.patch              Xen 4.9.x
xsa293/4.8-.patch              Xen 4.8.x
xsa293/4.7-.patch              Xen 4.7.x

$ sha256sum xsa293* xsa293*/*
27baf055642a3a7e9d2b1a961e15a46b592eca7c6f63e28e3bcb19e4cebfd0bd  xsa293.meta
865596b3dca81712a7d3d78f22e40aed1a08732f93b1950af6f092d893323a0f  xsa293/4.7-1.patch
032559c4bbdfe0987b9d3b15cf8661d8d8a5d4e2e989c944490ac171305fba3b  xsa293/4.7-2.patch
d3d91a1a5083b0a1992750b808aefacd0f0d4e7e92d1436e620a542e935cdadd  xsa293/4.7-3.patch
14b3db49375e353394b831a342d873d83615285d516f8cb08a0e1564d675cd51  xsa293/4.8-1.patch
1efc2ee18f54c7c41f478e944b3b708eb283bfa9de68a1046033d57784846c30  xsa293/4.8-2.patch
0d28899cad0e6798ae6a96717c15363ddf5a35e334ede02becdc81538ae589cc  xsa293/4.8-3.patch
b24210a74eb9dca5c7af902d223dba1b1b372df06a99fb1b0df8e92c9f9632f3  xsa293/4.9-1.patch
f68101f80d9843c1cdbb70188caec7009a0d52d33d811d22091e7c1f265a15e1  xsa293/4.9-2.patch
194e42599eac16afab14856760901705a0600c1308645495f30d30f8dd68734c  xsa293/4.10-1.patch
1fdee59bba66bd6b3ea4949913457dbcb1b8d5cb85fd8fb60aacac9a403ee9a9  xsa293/4.10-2.patch
277ba95e9a2276378fc9b3bcf89b694b9670256cde62278ade2e90d3fd5f7c46  xsa293/4.11-1.patch
724a0f433427a747876cbec09381dc1ca99286cea0ecbdd098c6e68fb135eeda  xsa293/4.11-2.patch
837eb67900a7c70cf7a00836cb312506925ca1fd29529144ff312316b0dbb086  xsa293/unstable-1.patch
0a6df8c8778a1c7e1fb71825695a86dee36f2e9345b39a06e3a364ad8b938de0  xsa293/unstable-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlx+apQMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZvVkH/j+PLpdjJ172FhBC2F73PE8/ojjK4qu9pew29TmH
4YZtNEEW2+4rB+vd3Y4oYmEHZiZoxrE7v6ER5+TxeMb4M9eK9JfgT59BO98msYLJ
AMJkDw+xmRWxSf0oP8aig1Qbl3isY3Tv3Ny/KjLV33aZy0O/5Re3NnqpYRHAMDrj
wLmeBezLQbqyK4Kc9y8Io+johmnOWbQDiXFGq/Rjh4C0EDkKBTpAY2By+sHxNBMU
FCFsjxi/H25rhrYIb5DOhdlcAGxp+JrK679rKoYZP35QBQzkj3TKswfp7rmCactn
xoD9N6uO483VVD6X1LosaK9jSxmHCdaOA+uswOBrBwWBjng=
=OITY
- -----END PGP SIGNATURE-----

=================================================================================

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-294
                              version 2

         x86 shadow: Insufficient TLB flushing when using PCID

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Use of Process Context Identifiers (PCID) was introduced into Xen in
order to improve performance after XSA-254 (and in particular its
Meltdown sub-issue).  This enablement implied changes to the TLB
flushing logic.  One aspect which was overlooked is the safety of
switching between shadow pagetables, which previously relied on the
unconditional flushing of a write to CR3.

With PCID enabled, a switch of shadow pagetable for a 64bit PV guest
fails to invalidate the linear mappings of the previous shadow
pagetable.  As a result, subsequent accesses to the shadow pagetables
may be deemed to be safe by the shadow logic (based on the old shadow
pagetable) but fault when made in practice.

IMPACT
======

Malicious 64bit PV guests may be able to cause a host crash (Denial of
Service).

Additionally, vulnerable configurations are unstable even in the absence
of an attack.

VULNERABLE SYSTEMS
==================

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only systems running 64-bit x86 PV guests are vulnerable.  Systems running
only x86 HVM or PVH or 32bit PV guests are not vulnerable.

Only systems with at least one PCID-enabled PV guest are vulnerable.

Systems where PCID or INVPCID are unavailable or entirely disabled are
not vulnerable.

Note that PCID is enabled by default for both 64-bit dom0 and 64-bit
domU when hardware supports it.  PCID acceleration has been backported
to the following versions:
 - Xen 4.11.x,
 - Xen 4.10.2 and onwards,
 - Xen 4.9.3 and onwards,
 - Xen 4.8.4 and onwards,
 - Xen 4.7.6.

MITIGATION
==========

Running only HVM or PVH guests will avoid this vulnerability.

Disabling use of PCID entirely, by passing "pcid=0" or "invpcid=0" as a
command line option to the hypervisor, will also avoid this
vulnerability (albeit re-introducing the XPTI performance regression
use of PCID was intended to reduce).

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa294/unstable.patch           xen-unstable
xsa294/4.11.patch               Xen 4.11.x
xsa294/4.10.patch               Xen 4.10.x
xsa294/4.9.patch                Xen 4.9.x
xsa294/4.8.patch                Xen 4.8.x
xsa294/4.7.patch                Xen 4.7.x

$ sha256sum xsa294*/*
c10b7b79a2067cc6d95e40bc78ee8fddaf31f8614bb183fdd5f00e4272e08a0e  xsa294/4.7.patch
3ac1c3caf01feaf341e977fcbae691f2e4425aa9691f2dfa66795acfe823d76e  xsa294/4.8.patch
a8dfc8b2d2f0d0865b70fb0051f9d5a80a6c7456d004957a0155d989ec875611  xsa294/4.9.patch
c6fe1e0173b665a88cbab423737dcb060eed1f634f9bca880d9ddfa2ac855d03  xsa294/4.10.patch
61a341510f45c0cf63a7438645f5c2b3ab1cd72bc2476e5fad331e322f834f4a  xsa294/4.11.patch
1fb22eab53f9b1e93fc25f5a08d37121a9278854174f1fbd495b3fe6e8babf3a  xsa294/unstable.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlx+a0YMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZkrsIAK1qu+18MSwMzh7jWNgtAHtlYftiAOScJaJDytAv
Q0iIClp6Liu9A7VkvG0T5XZvOT2y2jLadsOZX0t4TgWz9dOgkZ2ElXtRYd7XlosX
QhEEAQKAy2qTANHOPR6KJ7iuFAiR5Us9XZUqYUcWevP4PBvODFUbdJz12QaL7+eu
e9Tcd6BHQMpyZN3Z39g4yVKSaA/pi1SYT7w7T/pGy+QtnBh1t5zbdpJwQ+gz6eg8
tRsYVZAxNsfQDInLuj27FzcxJbiIue1M++fJ0MazULb5rFKj1AfW+Z8KNhzppv7M
OLU+r8lwJtRhVc/+Qqgc/AEYQypn3kx6ftCKCUKWlpn3W1E=
=rkY1
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXH8r6maOgq3Tt24GAQiUIRAAjPvmREQbMeuczrvPsoCw8no4VfzM+g4I
D+8AFsvGYx9mhOObCY4ic1fk9i5IREuF60uU+VNnB2PINJQV1SoQt53ufAOzjFCm
ZoCer1lPHc5lQs30MLVDUjJeNvQ44jBOqiQnK3ryux9s4sYTSDQ8w/Qj+RTOHLl2
iwg+b+Fq1yHU1/ywOQJrjeaNfqd18i60tR8h+AAAEBtMT+OLylZCzVwqCOwmEz1f
yYtpxNodzfAzJZsuhbU/z/m9GM5TCsOs1VrUSPnQcB8xkHpSL4OUu6gQ3kmIQa1u
9CaIf0d0eVKAfFCuVowbWvf2sBNlSBdTzXMWJ7jCFIdqFyyDS0Wvxvtr8uAEip6J
Av+48qUyo8lQJHoWNAngAXY72F7uklm5+Y8WiRSr9I2yrK/rxvi68oWnH0zRnugF
hrY8/6dvGcExZjVql5aeanZYvf2p8vviXkZ13lXBPH33wPxxkfxk4IRP+e0wlxVw
eoRzxqmw6eIkaZYHgGIVg7ax0VjVvuiZcjuvi2GzUFCWn6bOIOXTSYrYSqexAZiE
IRvD7YJtS7edePkcrHbTf2z6dDZtAEVnC/ddKJvStx5GdezSiSKADa3YNkgT4mFl
0eWeUspDa3GumKqHdYFGwfPYGX6o1ioaZ3vuJSX/ZB5DZaTiyU54DFkHK9x93/nn
YEvD8mNZf1s=
=XWCU
-----END PGP SIGNATURE-----