|
Message-Id: <E1kUqJZ-0001xT-Qb@xenbits.xenproject.org> Date: Tue, 20 Oct 2020 12:00:29 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 286 v4 - x86 PV guest INVLPG-like flushes may leave stale TLB entries -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-286 version 4 x86 PV guest INVLPG-like flushes may leave stale TLB entries UPDATES IN VERSION 4 ==================== Warn about performance impact. Public release. ISSUE DESCRIPTION ================= x86 PV guest kernels may use hypercalls with INVLPG-like behavior to invalidate TLB entries even after changes to non-leaf page tables. Such changes to non-leaf page tables will, however, also render stale possible TLB entries created by Xen's internal use of linear page tables to process guest requests like update-va-mapping. Invalidation of these TLB entries has been missing, allowing subsequent guest requests to change address mappings for one process to potentially modify memory meanwhile in use elsewhere. IMPACT ====== Malicious x86 PV guest user mode may be able to escalate their privilege to that of the guest kernel. VULNERABLE SYSTEMS ================== All versions of Xen expose the vulnerability. The vulnerability is exposed to x86 PV guests only. x86 HVM/PVH guests as well as ARM ones are not vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Jann Horn of Google Project Zero. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that these patches are known to produce serious performence problems for at least some workloads. Work is ongoing to improve the performance, and this XSA will be updated when new patches are available. xsa286/*.patch xen-unstable xsa286-4.14/*.patch Xen 4.14.x xsa286-4.13/*.patch Xen 4.13.x xsa286-4.12/*.patch Xen 4.12.x xsa286-4.11/*.patch Xen 4.11.x xsa286-4.10/*.patch Xen 4.10.x $ sha256sum xsa286* xsa286*/* e67a0828be2157c54282a4cc6956234581d32b793021e12ee61676bad4d3b740 xsa286.meta 95c1650a7e0496577929fd5d3240b14ab69e4086b613a52117fcfd879c9aea0d xsa286-4.10/0001-x86-shadow-drop-further-32-bit-relics.patch 18218556f8f9218a57dc9afeffddeaa2133fbe2788871082d8b040ab67abb68c xsa286-4.10/0002-x86-shadow-don-t-pass-wrong-L4-MFN-to-guest_walk_tab.patch e8c89338a74b5fce9ee2c82e360889123afd7efe72536c236cf521c28e48ecc9 xsa286-4.10/0003-x86-shadow-don-t-use-map_domain_page_global-on-paths.patch a677ddb308359450087c21085536d64a15d9339cd02a88eecd8d694c9d26837c xsa286-4.10/0004-x86-don-t-allow-clearing-of-TF_kernel_mode-for-other.patch 927b68d2ffb4afb677b2f3d820f2e12ae61a37a2b4797fdc8316fe65adc0e46f xsa286-4.10/0005-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch 9c6dfc0a2bf7408c1852de2410fecbaab48a4b885f8cf4836781d31727f0c69d xsa286-4.10/0006-x86-mm-check-page-types-in-do_page_walk.patch e4c0fcbfd558a95d52b5312902b10aced0dd8d23d1d1af5b3f7d39c3641010c4 xsa286-4.10/0007-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch c0e481010cc801c1455008f52e5f2799240223dbfda2f252c872381d30f5af74 xsa286-4.10/0008-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch 89cf1192938027eaa7bb38dcbe268f54771bac0e107fa33f4f625c1fef3397c1 xsa286-4.10/0009-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch 6c01ba250ae9ffcd894f603d519bf3a170c92c9e0bc3bb7a79c3e67412ffcf35 xsa286-4.10/0010-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch 21d8f1f05a537bae19088ed28cfb8990c2c19f3f93fbe894f40b354ea7702d3a xsa286-4.11/0001-x86-don-t-allow-clearing-of-TF_kernel_mode-for-other.patch 6e4023e7d366e53ccda8f80a4b36bd77f194b84ef0a30d1af6f18d56c11c5256 xsa286-4.11/0002-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch aabccc3a6c267e41c3ac47916592ce645f6e6788cad900845dbf254801f9dd23 xsa286-4.11/0003-x86-mm-check-page-types-in-do_page_walk.patch 9bbc53a6533209f85edb005e8a517d5a80fda9db8af39b9378eba74857b9fa6b xsa286-4.11/0004-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch 19f09374a4d3383eb1e5b9f0b465ff33e17f71fe7131e6cd61599ac9f79e8b00 xsa286-4.11/0005-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch 7b17dd013bdd9520a7c0cec2a6b56da677d980b982b6869865c99f374b3c1560 xsa286-4.11/0006-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch c4c52a34efd14745a0a80f15a73daf7d7e72cfdf2925045a5ec1d22c798baaf2 xsa286-4.11/0007-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch e831e18b528d845e3aef329df98244ebed1ade0388f1bfb083d8de626e148388 xsa286-4.12/0001-x86-don-t-allow-clearing-of-TF_kernel_mode-for-other.patch 9db102623f51bb5757fff3a2364a675893ca52e09f47868dad15ce1cb44c40a8 xsa286-4.12/0002-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch 3b0768c05123681db5256a96af3a8abe18e0a488b767183be728cb0a06969333 xsa286-4.12/0003-x86-mm-check-page-types-in-do_page_walk.patch 30342a0c11e0a48b50cd461b6388dce8640f6380cde1d738a3ddd8b95a8c7b1b xsa286-4.12/0004-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch 3c1a687243e2df7b64a49279cd99ceabdcc00d9f48476faacd8915a9cc61e775 xsa286-4.12/0005-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch c5aacc47b696b74e80e368c25f0deba20aa69e1de6823f334fddd6a40c6f6a22 xsa286-4.12/0006-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch 07e3f5bcbfbdec070e28fc1bd727b0eb7adc2a75c26636e081800e9939c9bcc2 xsa286-4.12/0007-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch 089d284b29b7179b5c9c04beaf90f24b4b79d81eb3bf55b607405755f3f8b6d8 xsa286-4.13/0001-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch 96a6391f2a027a034f0e3308119b2cc9b3543db985f9975067db42eb553d2ff9 xsa286-4.13/0002-x86-mm-check-page-types-in-do_page_walk.patch 4060ed8ef41314ddf413e307d39254a899a8e65bd28d5dcb6da73a0d922b5cfb xsa286-4.13/0003-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch 38ed58aceaeb3ab4d9991f12ec11b1eaa0a6d4853023e0e59c0d92589ed112b6 xsa286-4.13/0004-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch 99a0afbc30acf6df26e152752bb65a1de33d9a0a45a5e7ad7693c01c1d1f53d6 xsa286-4.13/0005-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch 4ce310f802a3fcc55d704af755ef4f6d04e029cddc7df03827f7518d3a8faaf9 xsa286-4.13/0006-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch 36f1631c0880a615de48006fc5318c1b305be2ba5ed9c3cd0dd4ed82bd481bed xsa286-4.14/0001-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch 4c10f102b71f26e86b2f5ef9d7bbb31000e389b64185cc23491a113311d70983 xsa286-4.14/0002-x86-mm-check-page-types-in-do_page_walk.patch ee227e37cb6de2bed50395a72c6ce9493bdfc0018ed2dc70c81334c98751564d xsa286-4.14/0003-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch 4892411356967838e49a5063e80f6169446e460bc3bee8765fe8f4852b801851 xsa286-4.14/0004-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch e840cb758e21be76cfcbd85be82a23bb91e2766d435d314047a62e3b333b7dcb xsa286-4.14/0005-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch 16763d9a407ae30d79e1f849d1ae1e03e9a1d5dca15181f5d53f49e4eb4708a2 xsa286-4.14/0006-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch 34c00849d8cf56897d5c17c65d83b9ef2f0ce849766c9d7ca07b56de4a4c1307 xsa286/0001-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch b82ff481239b72f7b364cc4a66363a812a9205b3e605b215b2267cd6f13f9a06 xsa286/0002-x86-mm-check-page-types-in-do_page_walk.patch 527f7a74c0bee0f137b86b3b6475ff4648266f9dcaa5368df2f06b91efd9dbb8 xsa286/0003-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch fd11aaacef7fd090fbc6409069b57d76a06a7e835b9a9eb5de8e15ace3ffb3e5 xsa286/0004-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch dbfce6e2975d191b6568392593a835b5fc87d3869a5fad1917aecc11d1f2a62a xsa286/0005-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch 5ad8a48a603b3fd195168d62d481516999422f86e5bbc65b01cde1ff1d262fb2 xsa286/0006-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl+OzqAMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZf44IAITjC6CiRoB4BdmqcMwpQ2bJbC/XqNN/xV/DXTsg p0sv0w3lXQQIOIzR7UG70IlA2vjW9LNX6k6qjqDGpOJQn5d2Pbj4jFkd11kq24IK PWuoxpswQRaVu0CU5aPvvtAIkOu9v0wZ6//M3cpe81h1Pl+Mg413SSArP6qRFjhY tVdzlBzOwqXYMH5prlvWG+td43D6e5UeMPZM4o4Rkovdjk3QPkpsBrElnlZInmqH ntbFSTCCUcIpaLRY88yPOksTHXxPtdrDh2l9okNYhLhf7Ywk0z1SWkiueazT15t4 ytDw6OdmYjajqFhI9+FvyYLRiQK+twl6iPUXKarqEQyBbEU= =ori5 -----END PGP SIGNATURE----- Download attachment "xsa286.meta" of type "application/octet-stream" (1579 bytes) Download attachment "xsa286-4.10/0001-x86-shadow-drop-further-32-bit-relics.patch" of type "application/octet-stream" (4442 bytes) Download attachment "xsa286-4.10/0002-x86-shadow-don-t-pass-wrong-L4-MFN-to-guest_walk_tab.patch" of type "application/octet-stream" (1491 bytes) Download attachment "xsa286-4.10/0003-x86-shadow-don-t-use-map_domain_page_global-on-paths.patch" of type "application/octet-stream" (7189 bytes) Download attachment "xsa286-4.10/0004-x86-don-t-allow-clearing-of-TF_kernel_mode-for-other.patch" of type "application/octet-stream" (2688 bytes) Download attachment "xsa286-4.10/0005-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch" of type "application/octet-stream" (2201 bytes) Download attachment "xsa286-4.10/0006-x86-mm-check-page-types-in-do_page_walk.patch" of type "application/octet-stream" (5307 bytes) Download attachment "xsa286-4.10/0007-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch" of type "application/octet-stream" (3024 bytes) Download attachment "xsa286-4.10/0008-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch" of type "application/octet-stream" (5826 bytes) Download attachment "xsa286-4.10/0009-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch" of type "application/octet-stream" (4053 bytes) Download attachment "xsa286-4.10/0010-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch" of type "application/octet-stream" (4421 bytes) Download attachment "xsa286-4.11/0001-x86-don-t-allow-clearing-of-TF_kernel_mode-for-other.patch" of type "application/octet-stream" (2702 bytes) Download attachment "xsa286-4.11/0002-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch" of type "application/octet-stream" (2201 bytes) Download attachment "xsa286-4.11/0003-x86-mm-check-page-types-in-do_page_walk.patch" of type "application/octet-stream" (5279 bytes) Download attachment "xsa286-4.11/0004-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch" of type "application/octet-stream" (3017 bytes) Download attachment "xsa286-4.11/0005-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch" of type "application/octet-stream" (5819 bytes) Download attachment "xsa286-4.11/0006-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch" of type "application/octet-stream" (4008 bytes) Download attachment "xsa286-4.11/0007-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch" of type "application/octet-stream" (4427 bytes) Download attachment "xsa286-4.12/0001-x86-don-t-allow-clearing-of-TF_kernel_mode-for-other.patch" of type "application/octet-stream" (2681 bytes) Download attachment "xsa286-4.12/0002-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch" of type "application/octet-stream" (2201 bytes) Download attachment "xsa286-4.12/0003-x86-mm-check-page-types-in-do_page_walk.patch" of type "application/octet-stream" (5279 bytes) Download attachment "xsa286-4.12/0004-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch" of type "application/octet-stream" (3017 bytes) Download attachment "xsa286-4.12/0005-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch" of type "application/octet-stream" (5819 bytes) Download attachment "xsa286-4.12/0006-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch" of type "application/octet-stream" (4001 bytes) Download attachment "xsa286-4.12/0007-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch" of type "application/octet-stream" (4427 bytes) Download attachment "xsa286-4.13/0001-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch" of type "application/octet-stream" (2201 bytes) Download attachment "xsa286-4.13/0002-x86-mm-check-page-types-in-do_page_walk.patch" of type "application/octet-stream" (5279 bytes) Download attachment "xsa286-4.13/0003-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch" of type "application/octet-stream" (3017 bytes) Download attachment "xsa286-4.13/0004-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch" of type "application/octet-stream" (5819 bytes) Download attachment "xsa286-4.13/0005-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch" of type "application/octet-stream" (4001 bytes) Download attachment "xsa286-4.13/0006-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch" of type "application/octet-stream" (4427 bytes) Download attachment "xsa286-4.14/0001-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch" of type "application/octet-stream" (2201 bytes) Download attachment "xsa286-4.14/0002-x86-mm-check-page-types-in-do_page_walk.patch" of type "application/octet-stream" (5279 bytes) Download attachment "xsa286-4.14/0003-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch" of type "application/octet-stream" (3061 bytes) Download attachment "xsa286-4.14/0004-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch" of type "application/octet-stream" (5863 bytes) Download attachment "xsa286-4.14/0005-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch" of type "application/octet-stream" (4001 bytes) Download attachment "xsa286-4.14/0006-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch" of type "application/octet-stream" (4427 bytes) Download attachment "xsa286/0001-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch" of type "application/octet-stream" (2162 bytes) Download attachment "xsa286/0002-x86-mm-check-page-types-in-do_page_walk.patch" of type "application/octet-stream" (5294 bytes) Download attachment "xsa286/0003-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch" of type "application/octet-stream" (3061 bytes) Download attachment "xsa286/0004-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch" of type "application/octet-stream" (5863 bytes) Download attachment "xsa286/0005-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch" of type "application/octet-stream" (4000 bytes) Download attachment "xsa286/0006-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch" of type "application/octet-stream" (4427 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.