Mailing List Archive

Xen Security Advisory 299 v4 (CVE-2019-18421) - Issues with restartable PV type change operations
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Xen Security Advisory CVE-2019-18421 / XSA-299
version 4

Issues with restartable PV type change operations

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

To avoid using shadow pagetables for PV guests, Xen exposes the actual
hardware pagetables to the guest. In order to prevent the guest from
modifying these page tables directly, Xen keeps track of how pages are
used using a type system; pages must be "promoted" before being used
as a pagetable, and "demoted" before being used for any other type.
Xen also allows for "recursive" promotions: i.e., an operating system
promoting a page to an L4 pagetable may end up causing pages to be
promoted to L3s, which may in turn cause pages to be promoted to L2s,
and so on. These operations may take an arbitrarily large amount of
time, and so must be re-startable.

Unfortunately, making recursive pagetable promotion and demotion
operations restartable is incredibly complicated, and the code
contains several races which, if triggered, can cause Xen to drop or
retain extra type counts, potentially allowing guests to get write
access to in-use pagetables.

IMPACT
======

A malicious PV guest administrator may be able to escalate their
privilege to that of the host.

VULNERABLE SYSTEMS
==================

All x86 systems with untrusted PV guests are vulnerable.

HVM and PVH guests cannot exercise this vulnerability.
ARM systems are not vulnerable because ARM guests are all PVH.

All security-supported Xen versions are vulnerable.

Note that these attacks require very precise timing, which may
be difficult to exploit in practice.

MITIGATION
==========

Running only HVM or PVH guests will avoid this vulnerability.

Running PV guests in "shim" mode will also avoid this vulnerability.

CREDITS
=======

This issue was discovered by George Dunlap of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa299/*.patch xen-unstable
xsa299-4.12/*.patch Xen 4.12.x
xsa299-4.11/*.patch Xen 4.11.x
xsa299-4.10/*.patch Xen 4.10.x
xsa299-4.9/*.patch Xen 4.9.x
xsa299-4.8/*.patch Xen 4.8.x

$ sha256sum xsa299* xsa299*/*
687fb0f3273a424726edb4d249b79cfc45d1ef7000610405b11eaac49baecaa8 xsa299.meta
6c8f46e57f61a5e1e2e5e628a32e4c9ae144218ce475309811bb9900d3fdda48 xsa299-4.8/0001-x86-mm-Clean-up-trailing-whitespace.patch
3409e71ed7bc199bcda33892ea6f70fe257c4f3906d74b4a6f4352415daeedb0 xsa299-4.8/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
1179fe0f1a591c542478bf8614501f8ddb67e342d7d452f6bff3b6a999f2b20f xsa299-4.8/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
bc0352a1d82079c4072cc3871d0d397f7abb3c0480dfc3c5c542091d2ec7d7b0 xsa299-4.8/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
2b96857ef3e0f8259df7ad01600f1c30ca234668d6f26744c2ae0d3d7dded090 xsa299-4.8/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
fe119a8255e23a86845fa1ac5f93afa25acdaff705061c172ea9e0589b0bc1a4 xsa299-4.8/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
562415d5fdb4e173443a2aa211094743a722ef1fe5a2d19c59cb3d329e101984 xsa299-4.8/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
454296ac46ea5feea8866101e7c953bf6dbd37a5275f7b006eeb6d22cbae387d xsa299-4.8/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch
f203a70da67f304c2ede516ef989b58ace6774eeee4eca919631c75f09860ba3 xsa299-4.8/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
1f4877c10ead99c51d822d29ebaed9774cdb97cca869fe1a1ccf905540e291c7 xsa299-4.8/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
733d260d731cce9902d66dc5b42ae9d10a319acda6dadcc426b6dfeba6e917da xsa299-4.8/0011-x86-mm-Fix-nested-de-validation-on-error.patch
cd105c15e2fd915644cb7d31000df60e51d1054a807b575d5436ccb87c1e9a18 xsa299-4.8/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
d8db456679e652f5a33a0a448d379e3a88b0cf7ce1415ee46007873cfb6f49b7 xsa299-4.9/0001-x86-mm-Clean-up-trailing-whitespace.patch
e54df901b5f13d70643938ff365a09a43725637511251efc3ac55c45b80016f5 xsa299-4.9/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
8da540f32ff77f5871f646a6ef2847bc3adc2aecfa4698dcec4335b72e758616 xsa299-4.9/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
e97044ffb5edcc7f1094dd47e365f2f29971cacf784d8aaa9a0e42f770ca899d xsa299-4.9/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
53977fd090d488f484e6191c6b68cbc59f771d8cf4aeb230b7b9f8ddc891a58e xsa299-4.9/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
d10b9d434d341ac380e8a9c6fc4b3ddec8baf8dec9d565c2e66867f8d05497ba xsa299-4.9/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
7e01debdbe59cfa734e63b5c9d5c2799aa25f961f0d065ce8c8bdb64d577b164 xsa299-4.9/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
12f0732907547367645db6300cff959f15118b91503165dc2c66083769ac7e56 xsa299-4.9/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch
06044bf56130dd845e08ed9af75f4aade186d48b1cea88d7862026bbe0bf51af xsa299-4.9/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
2fea704a716d6ff8a589fba7bf5d71443e2b52f41f591f8173d50dcb3ba9a94b xsa299-4.9/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
4bcfd94bdd77726e8ea1069081f5f544705b22752a185ee4e1f58c730a902b74 xsa299-4.9/0011-x86-mm-Fix-nested-de-validation-on-error.patch
580fa03182e40f122e3d21a5c71183b6a9500eae2afba490cf43514b75e15062 xsa299-4.9/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
c3bde8f42e75c0f98c22938267f947d4729e7372510dededa3750699ac8cb2f5 xsa299-4.10/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
0794fd0d20d71367977926f2393e354d4a43452a51f421616fa413acd68bf24a xsa299-4.10/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
0591cd2fa566fcec43e2aa6e1cfb92629c816e55c7548b2534c5a7a84505cd06 xsa299-4.10/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
736966986c43bcdfcbf337fc87af6f430458bad5d105b33f7dfa0a1eb72f2416 xsa299-4.10/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
416db71e950838dbf5d024ae9ba8bb6e6685314608543fd8df0516db7786b811 xsa299-4.10/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
7d84aaf129401faa863565df084e776413dd07ec440c1a67db961b8a147651a4 xsa299-4.10/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
59d37dc3cfd811bcbbedb72ca9d80eb2d460dce4e373e581c88fdb6b874b4111 xsa299-4.10/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
746156888f0dc4a75164cd668dd05fdf3d9b11cc96205785384f84ebcd1df4ae xsa299-4.10/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
bcc54d2b0653e584c89c0d219d5cd82e94c2629033ea8f1b22dfd3f373267bf5 xsa299-4.10/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
4829ba66647d344f1eaad632fddab4c8c51db513d1ae18385dec195b86e76936 xsa299-4.10/0010-x86-mm-Fix-nested-de-validation-on-error.patch
7ad0b06d2748da4e4b317f4cc8c829c7fb451bf86ad778d97d231acff7cfd940 xsa299-4.10/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
225fec9475b5992338ce19da982a759b3a551c653dbbb280295b00018a107d28 xsa299-4.11/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
fa910f573bde107b90fef4568fa500bf875d7303ac93642ed8a135d639bf7f0e xsa299-4.11/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
f5fcf8ab6940d85fe43de61463ff00bcf17a22b94da4f2b28fa45d714b0255d0 xsa299-4.11/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
e1e49d767f08889b518423935869332a40f87e824bb93a0c2707f1f99e9f0328 xsa299-4.11/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
c0f5ce00516491b1f3d2eccf25fbd67d409d855e3d4b423490f1bc37b4477e87 xsa299-4.11/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
4562543c497c17cc3a793f67a75824043ca3dea69ccc456bf9f5546825282f0e xsa299-4.11/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
90bc777691225eb4c55804702c2cd7f2913317b13334c27b9437ee60be672cca xsa299-4.11/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
7903c9599ee47dc05647e5ec7a6ce3fe5e6331b527551286897429e97cf56f61 xsa299-4.11/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
c1ae9bad93e11a4a9253265318b67b45865e566b17ddd7f167bb88197a9b700c xsa299-4.11/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
49a21bd396ab4af6b82aaa38dac733f4fde806587b5b126cd656f725b9c8eee7 xsa299-4.11/0010-x86-mm-Fix-nested-de-validation-on-error.patch
09df369fa52335e3e560af593d4e9843bab1da24aa1b4c905f9ea1ce8441af6e xsa299-4.11/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
d27f07eb0020181487ec9dda15c6331125d6b0505fdce1ae67c0a9b524159e11 xsa299-4.12/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
00c2fb77366c427e226315cfb1cda1c67ce495ec8a0b400ff30924bc399bf283 xsa299-4.12/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
bc88c216e438af9e1dddf1e5374fd1c78c9867e8908ba3016c72d999aebaea4b xsa299-4.12/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
cc6416c6311be82a2b89d5b14ceb9ecc6cb92ce9286bb03b91083c661186d28d xsa299-4.12/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
732fbb80a6fc6364945e1b6534c921d503e2369c3cd25f425096549b71f75fa0 xsa299-4.12/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
20e37b3712b66111193bed02b368aff2ee0e7896dd55b5e6c928fbc97ec618b3 xsa299-4.12/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
20bec098f3ad474093ce33e4ae5e8cee5ff9f8504107c8a4ff76f2731abbab13 xsa299-4.12/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
71addb8014eeb51a6adc4377aaa4b74ac611a28a6f62865f7020a536a1a9cbc5 xsa299-4.12/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
71bd7d75f7878571d4ea4351ea10f487a1c1a86765f67c85a25308d5df24a40e xsa299-4.12/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
1e58d49f72c1eb158db08a17a3805e2144c0d468b6388a9a8795b67f80a699a5 xsa299-4.12/0010-x86-mm-Fix-nested-de-validation-on-error.patch
67594f941f8cecbc0ff87dfedbdbd43f4e4234d049c1a5d62143153ae96954c1 xsa299-4.12/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
08179d90ea327bca328f3a45198c31166df2aa6fb459b148dd74c716c1d5bb88 xsa299/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
d37e7b4dd3c9d7da14a287d9fe6807f81d95bba8bdab79b729ed5aa3350fad70 xsa299/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
660fc01fb09aee7628d65d7893ec11bf77cfe79543e390656b59f0e60334d058 xsa299/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
2dc6ad4233ec572ba21632ab80b6149541f3169affb792e31930e3f7c6e72fc6 xsa299/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
175fd90422bf00879de2129cd1a86bbdeb1c15ff344d286ab9634bc3f1512c03 xsa299/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
afa26c8850085412a787d7f0cb3031f15181ee2c9b3b1a9b4a007bff7404457f xsa299/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
6f0502b2377db2115faf9c7bcbf35898013dcec74170950c3aa7a0586ff1e174 xsa299/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
787c3eeaadfed46947fb17773fa8f9e9efe891658d7460eaf5291a4ca6155123 xsa299/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
77341c4d0ab62fbb7090d2a6b60902467563ae470ac0807ef40a3ac791d2933a xsa299/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
e489f49f8783fb388161365072da585c049e05d80306cf963cec5ecbb3bc67c7 xsa299/0010-x86-mm-Fix-nested-de-validation-on-error.patch
17b9ae71c150747bff4d57eee8a918b1961e880e25ae2b9c0dbe933e005cb1a0 xsa299/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
$

NOTE ON RESOLUTION
==================

Even with these fixes, the code is still very complicated. After the
embargo is up, we plan to try getting rid of automatic recursive
pagetable promotion entirely, instead requiring guest operating
systems to promote pages one-by-one themselves. This would obviate
the need to have restartable operations, greatly simplifying the
reference counting code.

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2601kMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZiYAIAMx46nYNIJ5KwV4rCKkBW1O/EDOc5dqt9PjlIKWR
PbJ4rrs9ZObvRh1Xw7nNM/leexHNYClWGAGPp/pLOyfF4nw/9B13jMF0C39vP4Fd
FMzM0jKyZreWTU38NqkrAVHbawyZNkS//1PITZy6LvA+DvwsHBz34qFsUX8Fw3vd
pu7izoozEFCzTie0zrUqwKV7yIyJ+3u3b/SjGuou0nxrbyIGuz/HIxazcFxJWwZh
4Zww3yKWMvXVedg8a2ZP5Fi+8+ePurOKz6g48gOWYefCPYXASrEaAf6s2WUp9Yi1
akddy2WIHzqd3HfOqEVKE5y8bjVvEft7mOIqOVeJBpEzh1s=
=633F
-----END PGP SIGNATURE-----