-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2023-46837 / XSA-447
version 2
arm32: The cache may not be properly cleaned/invalidated (take two)
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
Arm provides multiple helpers to clean & invalidate the cache
for a given region. This is, for instance, used when allocating
guest memory to ensure any writes (such as the ones during scrubbing)
have reached memory before handing over the page to a guest.
Unfortunately, the arithmetics in the helpers can overflow and would
then result to skip the cache cleaning/invalidation. Therefore there
is no guarantee when all the writes will reach the memory.
This undefined behavior was meant to be addressed by XSA-437, but the
approach was not sufficient.
IMPACT
======
A malicious guest may be able to read sensitive data from memory that
previously belonged to another guest.
VULNERABLE SYSTEMS
==================
Systems running all version of Xen are affected.
Only systems running Xen on Arm 32-bit are vulnerable. Xen on Arm 64-bit
is not affected.
MITIGATION
==========
There is no known mitigation.
CREDITS
=======
This issue was discovered by Michal Orzel from AMD.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa447/xsa447.patch xen-unstable - Xen 4.17.x
xsa447/xsa447-4.16.patch Xen 4.16.x - Xen 4.15.x
$ sha256sum xsa447* xsa447*/*
639f3a30124fd0f45b6b68768c02a5b5aa2e78c6c1f28bbf1ea5fb9be1f874af xsa447.meta
0816717ab6e9c2250975ed1100bb2943830dc10e9a52aed7dd5cbe1884a15918 xsa447/xsa447.patch
f325543852b28af3fb2a2ca501a70fc59d3b35432334d52f734b2071c8a9667f xsa447/xsa447-4.16.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV4SxMMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZvnUIAIG4NNqHQCeBV0VOLtdZLNgaBDt9Vguc4FLUYlI5
aBc4/IWrsGYYRuBzLAPGoKYP9/F+OjiHcE0ClFnxkQJ+bFKl4SQLxmSksHkvPtpo
6yL53IbyraIbA+TulYquTr27v7ZnTI9LQA3VurD6sMgiWIo8+C/kSb6g/1TAsm4R
qzHDRLhTd4H+yU7KV327qIUk1D4S0eGP1yWpudpd0A/05RBgI9m4gp01VFeJn8w+
UbYba/4LpcAKG/iyvxqk5o3fyO60zhZEc5BBHhcz7DJ+UvLrLf7TDLrkaI6lorye
m6etZ+kWU9ESL1Qy+lHEk9HqUOg25xQb5gPDrIP3TOMSsUU=
=mrfT
-----END PGP SIGNATURE-----
Hash: SHA256
Xen Security Advisory CVE-2023-46837 / XSA-447
version 2
arm32: The cache may not be properly cleaned/invalidated (take two)
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
Arm provides multiple helpers to clean & invalidate the cache
for a given region. This is, for instance, used when allocating
guest memory to ensure any writes (such as the ones during scrubbing)
have reached memory before handing over the page to a guest.
Unfortunately, the arithmetics in the helpers can overflow and would
then result to skip the cache cleaning/invalidation. Therefore there
is no guarantee when all the writes will reach the memory.
This undefined behavior was meant to be addressed by XSA-437, but the
approach was not sufficient.
IMPACT
======
A malicious guest may be able to read sensitive data from memory that
previously belonged to another guest.
VULNERABLE SYSTEMS
==================
Systems running all version of Xen are affected.
Only systems running Xen on Arm 32-bit are vulnerable. Xen on Arm 64-bit
is not affected.
MITIGATION
==========
There is no known mitigation.
CREDITS
=======
This issue was discovered by Michal Orzel from AMD.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa447/xsa447.patch xen-unstable - Xen 4.17.x
xsa447/xsa447-4.16.patch Xen 4.16.x - Xen 4.15.x
$ sha256sum xsa447* xsa447*/*
639f3a30124fd0f45b6b68768c02a5b5aa2e78c6c1f28bbf1ea5fb9be1f874af xsa447.meta
0816717ab6e9c2250975ed1100bb2943830dc10e9a52aed7dd5cbe1884a15918 xsa447/xsa447.patch
f325543852b28af3fb2a2ca501a70fc59d3b35432334d52f734b2071c8a9667f xsa447/xsa447-4.16.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV4SxMMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZvnUIAIG4NNqHQCeBV0VOLtdZLNgaBDt9Vguc4FLUYlI5
aBc4/IWrsGYYRuBzLAPGoKYP9/F+OjiHcE0ClFnxkQJ+bFKl4SQLxmSksHkvPtpo
6yL53IbyraIbA+TulYquTr27v7ZnTI9LQA3VurD6sMgiWIo8+C/kSb6g/1TAsm4R
qzHDRLhTd4H+yU7KV327qIUk1D4S0eGP1yWpudpd0A/05RBgI9m4gp01VFeJn8w+
UbYba/4LpcAKG/iyvxqk5o3fyO60zhZEc5BBHhcz7DJ+UvLrLf7TDLrkaI6lorye
m6etZ+kWU9ESL1Qy+lHEk9HqUOg25xQb5gPDrIP3TOMSsUU=
=mrfT
-----END PGP SIGNATURE-----
Attached Files:
-
xsa447.meta (1.32 KB)
-
xsa447xsa447.patch (4.93 KB)
-
xsa447xsa447-4.16.patch (4.91 KB)