Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4072
add-to-physmap can be abused to DoS Arm hosts
1 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: Xen
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-18423
Original Bulletin:
http://xenbits.xen.org/xsa/advisory-301.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2019-18423 / XSA-301
version 3
add-to-physmap can be abused to DoS Arm hosts
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
p2m->max_mapped_gfn is used by the functions
p2m_resolve_translation_fault() and p2m_get_entry() to sanity check
guest physical frame. The rest of the code in the two functions will
assume that there is a valid root table and check that with BUG_ON().
The function p2m_get_root_pointer() will ignore the unused top bits of
a guest physical frame. This means that the function p2m_set_entry()
will alias the frame. However, p2m->max_mapped_gfn will be updated
using the original frame.
It would be possible to set p2m->max_mapped_gfn high enough to cover a
frame that would lead p2m_get_root_pointer() to return NULL in
p2m_get_entry() and p2m_resolve_translation_fault().
Additionally, the sanity check on p2m->max_mapped_gfn is off-by-one
allowing "highest mapped + 1" to be considered valid. However,
p2m_get_root_pointer() will return NULL.
The problem could be triggered with a specially crafted hypercall
XENMEM_add_to_physmap{, _batch} followed by an access to an address
(via hypercall or direct access) that passes the sanity check but
cause p2m_get_root_pointer() to return NULL.
IMPACT
======
A malicious guest administrator may cause a hypervisor crash,
resulting in a Denial of Service (DoS).
VULNERABLE SYSTEMS
==================
Xen version 4.8 and newer are vulnerable.
Only Arm systems are vulnerable. x86 systems are not affected.
MITIGATION
==========
There are no mitigations.
CREDITS
=======
This issue was discovered by Julian Grall of Arm.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa301-master-*.patch xen-unstable to Xen 4.12
xsa301-4.11-*.patch Xen 4.11 to Xen 4.8
$ sha256sum xsa301*
c3f334d3de1fd7385a5b73edca1f979b6027595d8aa2a3fce451ee5a37d57662 xsa301.meta
1f6f76e0da4bd8cbce38a127d446593058a76565bade57672d6a00357fdc64fa xsa301-4.11-1.patch
b1ea7b323f509a6150983ece24ecd38f3a9ea97a11360d7a36f715ebaf85e8b1 xsa301-4.11-2.patch
67fffdd5f827f783e8752ca779a3234d30f26df5c42844c5b2b4a34618d7a0c2 xsa301-4.11-3.patch
3dba13afd3449b85215058c596f6a60a255e5a11c6865cbcaa05e9768f535b46 xsa301-master-1.patch
dbf952c2333807d5ee0fe4cccb069ddfda87e295c83a43ec46621b486b19f6e8 xsa301-master-2.patch
ad544e5e2da130540d5475954b1512fc00743773cad382c4c0451fd91536287d xsa301-master-3.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2601sMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZV3sH/0LnX74pFsicNGw73H2zrLQuvXQolWvThF3sZDKj
VeeX6WZ3u7n4au3TNytoFcx6IKR5ysqWWL2NpTW2ZXq+5ZZ3TSv39e7mGrUdQ/tC
YB/bWc8IxIgfwpL10ph12heqcQXUbpppBLIVgklCMUEpNTHWPubJuPEeMp5xPexK
cmpCuIck7HcyiSpTMAdZ+cj8voV3h3Wmc2pLXPgR3+T56KsuV5IdoIr5I9s4kPAM
hsh+4Ip/uYa4JUepxap3AD+yqLBDXggGwua50wVEtSPPVR6FEMvDYtuiMUEq+G7d
3DOKy6ylf9XzMOQWSHEvWOLzu5CSAxwMnVB0KJ8T0bI+HxU=
=wp/o
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIUAwUBXbuM2GaOgq3Tt24GAQgwQw/3eW4D4cJyi2F7a1A0ZlER6B6Ww19xM9PR
TIwtYfjDZF77g8l3N/dQRF1rvw6z6bMgbJVcmUGlVRqQbTz2KSVReR+jb26X/AUi
wui3JdijtDTU1ZR09mF/EzTG2TvcLs1U5NJBjMLATbe6ycmG+pix3FalEhjxB4WI
mXGO+cpQ40nAv22R7aSQgcuyjL+YKL2jTb/+57APzDG5NE3KWE3fkqAejHrS4e/i
ay4PvMeqsq6clb7o4zdej+/B21E3Jl707fNikgmWy6C7P+Ee82UrptsEUa4eoNlD
g13PcuEKTz/8nbmCfR3FEI1NwQDBmXo6OBtWtSpay3VE24J1nWAdwNFl0LeO0Ew2
lF5L8dGf2pd1o3iBXatGIeKBFlYTauDtKZrCem1k2Uf93negdWSzv3p63u6vzxG/
xXCnEiuW9yo1qOZBEjFH5eFKxRlLn0Owd/FpPXf1N3DcnCy0ZNiu9xtH67jg7Mdl
Xd8MeCJoFtrx2CPd4MwuW6/W+QjOvh++XLGQ4roYtsrZDaw2pGiWlNDPlxTkO+Kh
JMfCmoI/pNh/Z6OFnsGCaG7ddJLSYJdzItseuq4Rqqk+YNqRid4wJ7wKsHhmkIBA
bJ5uE0PCIRiNhin/yutoD2+TjP0UB/KuhBbb4HPxQ+7OWPpjtZgsrsjhWFe7KFNy
0pFIoJ35ww==
=wv2m
-----END PGP SIGNATURE-----