Mailing List Archive

Xen Security Advisory 345 v4 (CVE-2020-27672) - x86: Race condition in Xen mapping code
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Xen Security Advisory CVE-2020-27672 / XSA-345
version 4

x86: Race condition in Xen mapping code

UPDATES IN VERSION 4
====================

CVE assigned.

ISSUE DESCRIPTION
=================

The Xen code handling the updating of the hypervisor's own pagetables
tries to use 2MiB and 1GiB superpages as much as possible to maximize
TLB efficiency. Some of the operations for checking and coalescing
superpages take non-negligible amount of time; to avoid potential lock
contention, this code also tries to avoid holding locks for the entire
operation.

Unfortunately, several potential race conditions were not considered;
precisely-timed guest actions could potentially lead to the code
writing to a page which has been freed (and thus potentially already
reused).

IMPACT
======

A malicious guest can cause a host denial-of-service. Data corruption
or privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS
==================

Versions of Xen from at least 3.2 onward are affected.

Only x86 systems are vulnerable. ARM systems are not vulnerable.

Guests can only exercise the vulnerability if they have passed through
hardware devices. Guests without passthrough configured cannot
exploit the vulnerability.

Furthermore, HVM and PVH guests can only exercise the vulnerability if
they are running in shadow mode, and only when running on VT-x capable
hardware (as opposed to SVM). This is believed to be Intel, Centaur
and Shanghai CPUs.

MITIGATION
==========

Running all guests in HVM or PVH mode, in each case with HAP enabled,
prevent those guests from exploiting the vulnerability.

CREDITS
=======

This issue was discovered by Hongyan Xia of Amazon.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa345/*.patch xen-unstable
xsa345-4.14/*.patch Xen 4.14.x
xsa345-4.13/*.patch Xen 4.12.x, Xen 4.13.x
xsa345-4.11/*.patch Xen 4.11.x
xsa345-4.10/*.patch Xen 4.10.x

$ sha256sum xsa345* xsa345*/*
c8b9445b05aa4c585d9817c2e6cbf08466452a15381ca5b9a0224a377522edf9 xsa345.meta
4ed69dce620449bedda29f3ce1ed767908d2bbeb888701e7c4c2461216b724f7 xsa345-4.10/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch
98d3b171b197c1ff9f26ff70499a0cde3b23d048d622b12bf2ea0899de4f9e7f xsa345-4.10/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch
78c4be2f1747051d13869001180ee25bdeabe5e8138d0604a33db610b24e38f1 xsa345-4.10/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch
4abd8271a70593fcde683071fdf0ac342ff9b0859b60c9790b14dd7e5ae85129 xsa345-4.11/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch
3209195c1a7e8a6186b704d6bb791a3fb3c251d59e15b42bcb0ecc0d38f13a4f xsa345-4.11/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch
7e73f6c14718a0d4b25b4453b45c20bf265bd54c91b77678815be1ef7beae61f xsa345-4.11/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch
b68b82911c96feee9d05abcddf174c2f6b278829bc8c3bf3062739de8c4704b2 xsa345-4.12/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch
fe2a1568a3e273ae01b3984c193e75aea16da53c6c9db27d21a2196d0f204c6e xsa345-4.12/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch
22c98f4a264bc6b15ed29da8698a733947849c16a3e9da58de88bf16986b6aad xsa345-4.12/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch
16299d885c19e1cd378a856caf8c1d1365c341bea648c0a0d5f24ae7d56015ae xsa345-4.13/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch
b820061c242c7fa4da44cbb44fa16e0d0542c16815a89699385da0c87321f7ea xsa345-4.13/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch
8a87ac2478c9bda6ef28c480b256448d51393a5e04f6e8a68ea29d9aeba92e47 xsa345-4.13/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch
acf093741fecccccce0018d4a5c0f5dba367373dd1d6d04ed76ff3f178579670 xsa345-4.14/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch
616f2547b4bb6d5eb9f853b1659e6e2a1fc0f67866665f4f6cdd8d763effcdfc xsa345-4.14/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch
17ae72d2af6759da17ce777e0fc9eef8f8eb6be3fe6d5b38b3589f641fc0f918 xsa345-4.14/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch
65c56cb4d34ff4e97220311b303c09b54bfa44bcf4adc8e81d4a50c50eeb6b95 xsa345/0001-x86-mm-Refactor-map_pages_to_xen-to-have-only-a-sing.patch
5512bd167c29ba7da06b2ace1397fc43ed33a362174ea927d6ca3f9bdd31748b xsa345/0002-x86-mm-Refactor-modify_xen_mappings-to-have-one-exit.patch
392524c9b0a01618e6c86a39dc1c68288065300b49548e29e9e6672947858060 xsa345/0003-x86-mm-Prevent-some-races-in-hypervisor-mapping-upda.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAHB6UMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZpl8IAKcA1rZlJ2EgeUvFSrwr5lq7SePZ5HUTllv90G/Q
ogyVKe3ru+lWFDOFioRUrZh4/N7LrLzKj+x9LD58knUR78gSLnoPk67yOG3Doz0g
A2DqbOihtBVITrTFgY+0RK3X735ky4PsqEHPhGI/+S2j0HgEMO1KyEJwHyodzc60
KrFV5k/eLGgL+ttKPXOYFQuGn5vCaCr749JDDh498zmzcWpLP+XbN9P+xNtteXD2
JQ0Qsj4SjjmoE9l59M9t5MhnUMIZ3vC8BnjFyRJtzpBGhuU/HvUsPkPUbLevtVC+
X+GHObsQhYq7rmLvrHExckVlq9aGJpZYMtxbZaiA/9B6Xbc=
=Hsyr
-----END PGP SIGNATURE-----