[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-announce] Xen Security Advisory 291 v2 - x86/PV: page type reference counting issue with failed IOMMU update
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-291 version 2 x86/PV: page type reference counting issue with failed IOMMU update UPDATES IN VERSION 2 ==================== Metadata updated to remove dependency on XSA-283. Public release. ISSUE DESCRIPTION ================= When an x86 PV domain has a passed-through PCI device assigned, IOMMU mappings may need to be updated when the type of a particular page changes. Such an IOMMU operation may fail. In the event of failure, while at present the affected guest would be forcibly crashed, the already recorded additional type reference was not dropped again. This causes a bug check to trigger while cleaning up after the crashed guest. IMPACT ====== Malicious or buggy x86 PV guest kernels can mount a Denial of Service (DoS) attack affecting the whole system. VULNERABLE SYSTEMS ================== Xen versions from 4.8 onwards are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. Only guests which are assigned a physical device can exploit this vulnerability. Guests which are not assigned physical devices cannot exploit this vulnerability. MITIGATION ========== Running only HVM or PVH guests avoids the vulnerability. Not passing through PCI devices to PV guests also avoids the vulnerability. CREDITS ======= This issue was discovered by Igor Druzhinin and Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa291.patch xen-unstable xsa291-4.11.patch Xen 4.11.x, Xen 4.10.x xsa291-4.9.patch Xen 4.9.x, Xen 4.8.x $ sha256sum xsa291* 01883c11ae45a5771644270445e463538a61d98c66adbba852de74ccd272eae9 xsa291.meta fb5f2a75ba113f21e9cb2dfbc22520495c69a4fef631c030a4834c680045e587 xsa291.patch 299bb4913e7ddb46ce90f415f91ee5e5480050631281c87e1a764b66fb116d89 xsa291-4.9.patch 16087ba5c59b9644f4f61c0c7fa124d9e04e88089b235aaae91daa04cdf1b8a1 xsa291-4.11.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlx+aa4MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ7uEH+gKbe8qOoIa8/xDC1rOH5H+BNvjCSfuov4EUPsJ1 3DUPNSa3jCHTlX89+BwI+uOis3vHuQYBw/k9QYfx6nG617bu3/dUYiWlnE/DpPzm zur3McHNigWCXOYsrNlgnOncXixJIRcIlMJNudejzaFwnW9PDA8ZZ5r3UiTLY0fT wySjAL0cpMztmU7PfYAPib97JAM/+GHGiwjjumaaIvF3WnIADJ26HpmtiKELMwOh 7o53kTUPFutLq4McsbcrxLRhwSOsBfhPN1mb4Y0QFUP7yStFpNOmzppu8mLuewhE +PqJ0OQqqCx8hz/3TEDO59JUlH7Iwo4B3Eykhb5BqoSQHrY= =iq8p -----END PGP SIGNATURE----- Attachment:
xsa291.meta Attachment:
xsa291.patch Attachment:
xsa291-4.9.patch Attachment:
xsa291-4.11.patch _______________________________________________ Xen-announce mailing list Xen-announce@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-announce |
Lists.xenproject.org is hosted with RackSpace, monitoring our |