[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Xen Security Advisory 458 v2 (CVE-2024-31143) - double unlock in x86 guest IRQ handling



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2024-31143 / XSA-458
                               version 2

                double unlock in x86 guest IRQ handling

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

An optional feature of PCI MSI called "Multiple Message" allows a
device to use multiple consecutive interrupt vectors.  Unlike for MSI-X,
the setting up of these consecutive vectors needs to happen all in one
go.  In this handling an error path could be taken in different
situations, with or without a particular lock held.  This error path
wrongly releases the lock even when it is not currently held.

IMPACT
======

Denial of Service (DoS) affecting the entire host, crashes, information
leaks, or elevation of privilege all cannot be ruled out.

VULNERABLE SYSTEMS
==================

Xen versions 4.4 and newer are vulnerable.  Xen versions 4.3 and older
are not vulnerable.

Only x86 guest which have a multi-vector MSI capable device passed
through to them can leverage the vulnerability.

MITIGATION
==========

Not passing through multi-vector MSI capable devices to x86 guests will
avoid the vulnerability.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa458.patch           xen-unstable - Xen 4.16.x

$ sha256sum xsa458*
22dd1071755b1fd6b4ea3ce18a200f626ee796e77b7e7d93a3a5b33d2a896706  xsa458.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patch described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

HOWEVER, deployment of the mitigation is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because removing/replacing of pass-through devices or their
replacement by emulated devices is a guest visible configuration
change, which may lead to re-discovery of the issue.

Deployment of this mitigation is permitted only AFTER the embargo ends.

AND: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmaWYKoMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZKLgH/1uXqtha34XUX2xCayPYMss6yIwXDuugw4Z/F8Ap
tb+p65idTw5s2X0BXLpCcvhBZNY151DQXi0BZhTMewO8+JxrdjKPLthNSkGtF+/W
issUCQ9cuSj84n7n5AeMq1WDqVBYMnqNlgrsv9oiKAQ5g+9Rf8Mpu7RG1NrNcTCs
CfeDgMTOQcBuYG2xW2+46SXHVXKLA28uq6w4nIns4JpPF63DUJQKDDdypky1CSf1
9Z81Axi3cpk3NPvTw7TW2csO1C04XBVJvVVHJtUF1FVUhe0NboQy/zbh2te3QdJ8
KPXsQ55p0AZm3x8K2qM+Lsm1DqYhG5/ORMGC/+bXWc2H/nU=
=ZqmX
-----END PGP SIGNATURE-----

Attachment: xsa458.patch
Description: Binary data


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.