|
Message-Id: <E1gP62p-0000ba-Bx@xenbits.xenproject.org> Date: Tue, 20 Nov 2018 13:26:23 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 275 v2 - insufficient TLB flushing / improper large page mappings with AMD IOMMUs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-275 version 2 insufficient TLB flushing / improper large page mappings with AMD IOMMUs UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= In order to be certain that no undue access to memory is possible anymore after IOMMU mappings of this memory have been removed, Translation Lookaside Buffers (TLBs) need to be flushed after most changes to such mappings. Xen bypassed certain IOMMU flushes on AMD x86 hardware. Furthermore logic exists Xen to re-combine small page mappings into larger ones. Such re-combination could have occured in cases when it was not really safe/correct to do so. IMPACT ====== A malicious or buggy guest may be able to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access (information leak). VULNERABLE SYSTEMS ================== Xen versions from at least 3.2 onwards are affected. Note that the situation is worse in 4.1 and earlier, in that there's no flushing of the TLB at all. Only systems with AMD x86 hardware with enabled IOMMU are affected. ARM and Intel x86 systems, and AMD x86 systems without enabled IOMMU, are not affected. Only systems where physical PCI devices are assigned to untrusted guests are vulnerable. MITIGATION ========== There is no known mitigation for affected system/guest combinations. CREDITS ======= This issue was discovered by Paul Durrant of Citrix. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. xsa275-?.patch xen-unstable xsa275-4.11-?.patch Xen 4.11.x ... Xen 4.8.x xsa275-4.7-?.patch Xen 4.7.x $ sha256sum xsa275* b5a02598cd2cffcc2cb59c724eeabb50220fa55f2cbe571726a5228909bf7bfe xsa275.meta 7a3360e61fbb088f7d9f2b92921c9dceb08a1e01563c42ba4cf4a9999fe42fc4 xsa275-1.patch 4783a3abd2d87386ce9a7b790666ad398c5e027a6a146fce6424f0bcbfd8a7c6 xsa275-2.patch 49844d06f24ea129f1a501b4b0d5cb6ec3b288f3a2b41377ce793cc6fc81a788 xsa275-4.7-1.patch 7ea8bf2ff2c8c92cb064a70959a1148229c4577109015bd5aab72603ccb8f7e3 xsa275-4.7-2.patch 15d1aa7528368ed92caf8ea9baf77a406e1de26d0697dafd8a85da0d66eb95dc xsa275-4.11-1.patch 0806e8c904ac9e8eb89404dffd227fcd56da84b7eb0150ee1e9b4bee54a05b4e xsa275-4.11-2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlv0C2kMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZEmUIAJh8KKnerBI188shqJlCI2yr3qXG75xsnwQSR4Xd 5lIRLQepG92cPkJa6RPWelJY0rHmPTlFj+apO7k4ZOG4WsZkp8vK16pkOiCGP8wI J7UXfdxj9twOEbvLUE+Xe4bJI7/GQ9UbHefZ5LMdive6jYkq20ZUD7nZOBsXDX7r znb6plF62VzhoGvvL2yLyZRnRJfs91bNfnqPZG54tHDPXFTntVZghrIYKW8kboNF LZNi8fMrk0URy6uUkF2YpzLZ+JoMlPMVPEX3c+bx5xFm7xZc37rGmbHaj+L/5ViY 8e+2EEhzIGYI7liTSgKOzlkxolJ08bd/xolVAAo8vNeHjHo= =noV1 -----END PGP SIGNATURE----- Download attachment "xsa275.meta" of type "application/octet-stream" (1572 bytes) Download attachment "xsa275-1.patch" of type "application/octet-stream" (4463 bytes) Download attachment "xsa275-2.patch" of type "application/octet-stream" (2441 bytes) Download attachment "xsa275-4.7-1.patch" of type "application/octet-stream" (4214 bytes) Download attachment "xsa275-4.7-2.patch" of type "application/octet-stream" (3680 bytes) Download attachment "xsa275-4.11-1.patch" of type "application/octet-stream" (4217 bytes) Download attachment "xsa275-4.11-2.patch" of type "application/octet-stream" (2420 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.