Mailing List Archive

Xen Security Advisory 294 v2 - x86 shadow: Insufficient TLB flushing when using PCID
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Xen Security Advisory XSA-294
version 2

x86 shadow: Insufficient TLB flushing when using PCID

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Use of Process Context Identifiers (PCID) was introduced into Xen in
order to improve performance after XSA-254 (and in particular its
Meltdown sub-issue). This enablement implied changes to the TLB
flushing logic. One aspect which was overlooked is the safety of
switching between shadow pagetables, which previously relied on the
unconditional flushing of a write to CR3.

With PCID enabled, a switch of shadow pagetable for a 64bit PV guest
fails to invalidate the linear mappings of the previous shadow
pagetable. As a result, subsequent accesses to the shadow pagetables
may be deemed to be safe by the shadow logic (based on the old shadow
pagetable) but fault when made in practice.

IMPACT
======

Malicious 64bit PV guests may be able to cause a host crash (Denial of
Service).

Additionally, vulnerable configurations are unstable even in the absence
of an attack.

VULNERABLE SYSTEMS
==================

Only x86 systems are vulnerable. ARM systems are not vulnerable.

Only systems running 64-bit x86 PV guests are vulnerable. Systems running
only x86 HVM or PVH or 32bit PV guests are not vulnerable.

Only systems with at least one PCID-enabled PV guest are vulnerable.

Systems where PCID or INVPCID are unavailable or entirely disabled are
not vulnerable.

Note that PCID is enabled by default for both 64-bit dom0 and 64-bit
domU when hardware supports it. PCID acceleration has been backported
to the following versions:
- Xen 4.11.x,
- Xen 4.10.2 and onwards,
- Xen 4.9.3 and onwards,
- Xen 4.8.4 and onwards,
- Xen 4.7.6.

MITIGATION
==========

Running only HVM or PVH guests will avoid this vulnerability.

Disabling use of PCID entirely, by passing "pcid=0" or "invpcid=0" as a
command line option to the hypervisor, will also avoid this
vulnerability (albeit re-introducing the XPTI performance regression
use of PCID was intended to reduce).

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa294/unstable.patch xen-unstable
xsa294/4.11.patch Xen 4.11.x
xsa294/4.10.patch Xen 4.10.x
xsa294/4.9.patch Xen 4.9.x
xsa294/4.8.patch Xen 4.8.x
xsa294/4.7.patch Xen 4.7.x

$ sha256sum xsa294*/*
c10b7b79a2067cc6d95e40bc78ee8fddaf31f8614bb183fdd5f00e4272e08a0e xsa294/4.7.patch
3ac1c3caf01feaf341e977fcbae691f2e4425aa9691f2dfa66795acfe823d76e xsa294/4.8.patch
a8dfc8b2d2f0d0865b70fb0051f9d5a80a6c7456d004957a0155d989ec875611 xsa294/4.9.patch
c6fe1e0173b665a88cbab423737dcb060eed1f634f9bca880d9ddfa2ac855d03 xsa294/4.10.patch
61a341510f45c0cf63a7438645f5c2b3ab1cd72bc2476e5fad331e322f834f4a xsa294/4.11.patch
1fb22eab53f9b1e93fc25f5a08d37121a9278854174f1fbd495b3fe6e8babf3a xsa294/unstable.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlx+a0YMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZkrsIAK1qu+18MSwMzh7jWNgtAHtlYftiAOScJaJDytAv
Q0iIClp6Liu9A7VkvG0T5XZvOT2y2jLadsOZX0t4TgWz9dOgkZ2ElXtRYd7XlosX
QhEEAQKAy2qTANHOPR6KJ7iuFAiR5Us9XZUqYUcWevP4PBvODFUbdJz12QaL7+eu
e9Tcd6BHQMpyZN3Z39g4yVKSaA/pi1SYT7w7T/pGy+QtnBh1t5zbdpJwQ+gz6eg8
tRsYVZAxNsfQDInLuj27FzcxJbiIue1M++fJ0MazULb5rFKj1AfW+Z8KNhzppv7M
OLU+r8lwJtRhVc/+Qqgc/AEYQypn3kx6ftCKCUKWlpn3W1E=
=rkY1
-----END PGP SIGNATURE-----