-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3982
                     PoD operations on misaligned GFNs
                             24 November 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Xen
Operating System:  Virtualisation
Impact/Access:     Increased Privileges     -- Existing Account
                   Denial of Service        -- Existing Account
                   Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-28708 CVE-2021-28707 CVE-2021-28704

Original Bulletin: 
   http://xenbits.xen.org/xsa/advisory-388.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 Xen Security Advisory CVE-2021-28704,CVE-2021-28707,CVE-2021-28708 / XSA-388
                                   version 3

                   PoD operations on misaligned GFNs

UPDATES IN VERSION 3
====================

Correct affected versions range.

Add CVE numbers to patches.

Public release.

ISSUE DESCRIPTION
=================

x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode,
to provide a way for them to later easily have more memory assigned.

Guests are permitted to control certain P2M aspects of individual
pages via hypercalls.  These hypercalls may act on ranges of pages
specified via page orders (resulting in a power-of-2 number of pages).
The implementation of some of these hypercalls for PoD does not
enforce the base page frame number to be suitably aligned for the
specified order, yet some code involved in PoD handling actually makes
such an assumption.

These operations are XENMEM_decrease_reservation (CVE-2021-28704) and
XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by
domains controlling the guest, i.e. a de-privileged qemu or a stub
domain.  (Patch 1, combining the fix to both these two issues.)

In addition handling of XENMEM_decrease_reservation can also trigger a
host crash when the specified page order is neither 4k nor 2M nor 1G
(CVE-2021-28708, patch 2).

IMPACT
======

Malicious or buggy guest kernels may be able to mount a Denial of
Service (DoS) attack affecting the entire system.  Privilege escalation
and information leaks cannot be ruled out.

VULNERABLE SYSTEMS
==================

All Xen versions from 4.7 onwards are affected.  Xen versions 4.6 and
older are not affected.

Only x86 HVM and PVH guests started in populate-on-demand mode can
leverage the vulnerability.  Populate-on-demand mode is activated
when the guest's xl configuration file specifies a "maxmem" value which
is larger than the "memory" value.

MITIGATION
==========

Not starting x86 HVM or PVH guests in populate-on-demand mode will avoid
the vulnerability.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate pair if attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa388-.patch           xen-unstable
xsa388-4.15-.patch      Xen 4.15.x
xsa388-4.14-.patch      Xen 4.14.x - 4.12.x

$ sha256sum xsa388*
43f6647e9f7d28d22eeb98680e116b301b0e29ef63ea65c9839a5aaebd449bc4  xsa388-1.patch
64b27a8c7c02036528e00a3070e27e873762d68f4ea1504e906aaf2ddc1c06be  xsa388-2.patch
6917267482101a3f8f1d13905e14994344a0af81370c7a2b92275fb176b321a0  xsa388-4.14-1.patch
d5886e046c69f34f98f7e1fc6ffcc36d92f8fc79242b9dc88412c39aa79b4ac3  xsa388-4.14-2.patch
fbe6af409447edc2318940d7c4bc0861a236d40db037166608fc09fa57ef54b1  xsa388-4.15-1.patch
c828d735aaa3f430ccef314bf27519cd6a5f4daaa79e1c493dc47e42ab09ec9f  xsa388-4.15-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on public-
facing systems with untrusted guest users and administrators.

HOWEVER, deployment of the mitigation described above is NOT permitted
during the embargo on public-facing systems with untrusted guest users
and administrators.  This is because such a configuration change is
recognizable by the affected guests.

AND: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmGc2jkMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZROMIALJsptV0nV8H5/nCLUWld3mKjAeb/+N20ul9NEwn
rUwIGGGzyrKZQdAljno+9y9o5pM8+BC+aTBwYhmxEWsHm1kodTD+YnJYf8uNW/CW
uhTJp/ZB5EsWhTFHF7YoKbPG0on4KIsy0TgoUug7bv+l2zEny9gfknsj8jdp3qCy
aFv1Bb2PzRh462qVHI3f27Ee8bn7GfErouuLppmDpCva19D3bhUXQ5PhxFB+oqsI
bww4VKUo0nxZftYhpbInWm34dajEIXK7jy5Z/CUPgCj2sTOHHBv7+5JJdw0umn/A
lJ2Ta1u03sdC9JWbat4qjvdVgK9L9vT+jWsfcwk02qq+XSU=
=uSRt
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYZ2ZnONLKJtyKPYoAQhPlA//bqJfkEe5rnPXZLaw8nxql4QkbrP7sZuX
mTIVHwgukuIuWHkwjs8nhEQxFSq773yOzsLHYs7ESZNjbnTfQf2MboI0lOoFZ3Ti
jZ59J4JgsjU0aWzg8mwnGa/uv2ObdLqeKdVhRJSRqDg5GiEPSKnu60HP/4qSLmDM
ZpZ09pqZhsmb26NSzvwP/TPVZntuhWTXx86TXxXK990HzmwAgTL0E6/BH/GKIglF
50THLmp+EyPoZIPgWVJuOKVe7Gqgyeoc8YzSivLQNjRtwrpmuom6x1kcQKGMSlSN
RibmDC7GZx5IknimX6z3FZL2ZcuiKIrajQ6fNenOVyx7/1lMoDiyvMsfEWIw4Oxt
owOFksnQo8mCcbKFGG6HgNaiLe9OQ7RvUaWRWjK6SYYraclyrKpBHi8G7J/35vbP
t7kbJDl70wiJ5II2I5uEtJ5pGTIiFLafklBHVDFO+7RVv9xKmix5Mrfc/n2zdckA
7TQAgOdEP5Ot0Q6zzOHZSTiHqQuB+5xgKQcQW25MBPC+pc2wTW9jPWSK7iS9DtJp
uoFRoTWdlOYi0Hcfs+Rf0g0TO+4m8wjzJLLYNBG7zvvaS283IHmGAJsZ7RWXS1ck
AM/y6FSW7s0/sXkT0oJeCn24kK5f5xnH2h2BWa1CVmrsAlzAu2I1WWSGLwEq71XT
YkkUFIsg0p0=
=mAHp
-----END PGP SIGNATURE-----