[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Xen Security Advisory 343 v4 (CVE-2020-25599) - races with evtchn_reset()



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-25599 / XSA-343
                               version 4

                       races with evtchn_reset()

UPDATES IN VERSION 4
====================

Fix build of backports of patch 3.  Adjust affect versions.

Public release.

ISSUE DESCRIPTION
=================

Uses of EVTCHNOP_reset (potentially by a guest on itself) or
XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the
violation of various internal assumptions.  This may lead to out of
bounds memory accesses or triggering of bug checks.

IMPACT
======

In particular x86 PV guests may be able to elevate their privilege to
that of the host.  Host and guest crashes are also possible, leading to
a Denial of Service (DoS).  Information leaks cannot be ruled out.

VULNERABLE SYSTEMS
==================

All Xen versions from 4.5 onwards are vulnerable.  Xen versions 4.4 and
earlier are not vulnerable.

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

Different aspects of this issue were discovered by Julien Grall of
Amazon and by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa343/xsa343-?.patch           Xen 4.13 - xen-unstable
xsa343/xsa343-4.12-?.patch      Xen 4.12
xsa343/xsa343-4.11-?.patch      Xen 4.11
xsa343/xsa343-4.10-?.patch      Xen 4.10

$ sha256sum xsa343* xsa343*/*
097d5fa32e22fc7a18fddd757f950699e823202bbae67245eece783d6d06f4eb  xsa343.meta
d714a542bae9d96b6a061c5a8f754549d699dcfb7bf2a766b721f6bbe33aefd2  
xsa343/xsa343-1.patch
657c44c8ea13523d2e59776531237bbc20166c9b7c3960e0e9ad381fce927344  
xsa343/xsa343-2.patch
2b275e3fa559167c1b59e6fd4a20bc4d1df9d9cb0cbd0050a3db9c3d0299b233  
xsa343/xsa343-3.patch
9aec124e2afcba57f8adaf7374ecebffc4a8ed1913512a7456f87761bb115f68  
xsa343/xsa343-4.10-1.patch
54d9ce9acdb8dcc6aa81928037afbb081a6cd579127aa225833767e285e30ea2  
xsa343/xsa343-4.10-2.patch
3801300cddd8d138c800dc45eeff111e313eb40cea3aa94e2e045ac8956ab9d3  
xsa343/xsa343-4.10-3.patch
7abbec828f77c427a53182db820fc19bdf34e37882fc6ae51351ed6027c56da1  
xsa343/xsa343-4.11-1.patch
5c90a53333e9c81ce938deddfc690f474d61e083d2a43b859d3227100f793aff  
xsa343/xsa343-4.11-2.patch
0e12cfe8e505b9685912c61a740b98084d62e4ba0670d51a47345739f463a039  
xsa343/xsa343-4.11-3.patch
f3462b4e672f69a9fa951b1c04a50d754c64d18aadf444ef248587b3ac7f635a  
xsa343/xsa343-4.12-1.patch
d99cbbc3792755c4998b73460bbeaef5612a8942f98adcaea0762950e5a07c2a  
xsa343/xsa343-4.12-2.patch
cf23d3b61d4f07efc7057035c45e53e32a0b0f8fc3b9bc6c05f0f5bc71204914  
xsa343/xsa343-4.12-3.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl9p/k0MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZQvkIAKG74lMZpma+6A2V3eZAWUFBWeUOXwgD9+UorfvT
01zdpXBcVh5alrZ+ZSzmuAa/3tREUOnJHIHJD8fBpg+Yywy3dMduuxvv6RWzuQGj
rnf0X4LNklQYzOQXsYO5HkF6hxkPyZsgJPnOO9Zwb8zB8nqpSQkq9NMJ2Ochgfmm
+aZqWe7YXCNReBfMUzqyEpSwK2tNPNNE29IerxwEooqwUV5i9mHX3lYh1UYjwush
7OrvZzTLl8csjWIenxNuXX+STxUGdS81UDAbxEENmqSLoG1djRrUkAkCu5pNphxK
dkgAk9k8wAs2fc1BOYabCNeatZEUJ11n0dxJ7nn+AsnQ5YY=
=rqkV
-----END PGP SIGNATURE-----

Attachment: xsa343.meta
Description: Binary data

Attachment: xsa343/xsa343-1.patch
Description: Binary data

Attachment: xsa343/xsa343-2.patch
Description: Binary data

Attachment: xsa343/xsa343-3.patch
Description: Binary data

Attachment: xsa343/xsa343-4.10-1.patch
Description: Binary data

Attachment: xsa343/xsa343-4.10-2.patch
Description: Binary data

Attachment: xsa343/xsa343-4.10-3.patch
Description: Binary data

Attachment: xsa343/xsa343-4.11-1.patch
Description: Binary data

Attachment: xsa343/xsa343-4.11-2.patch
Description: Binary data

Attachment: xsa343/xsa343-4.11-3.patch
Description: Binary data

Attachment: xsa343/xsa343-4.12-1.patch
Description: Binary data

Attachment: xsa343/xsa343-4.12-2.patch
Description: Binary data

Attachment: xsa343/xsa343-4.12-3.patch
Description: Binary data


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.