Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1kUqJZ-0001xT-Qb@xenbits.xenproject.org>
Date: Tue, 20 Oct 2020 12:00:29 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 286 v4 - x86 PV guest INVLPG-like flushes
 may leave stale TLB entries

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-286
                              version 4

     x86 PV guest INVLPG-like flushes may leave stale TLB entries

UPDATES IN VERSION 4
====================

Warn about performance impact.

Public release.

ISSUE DESCRIPTION
=================

x86 PV guest kernels may use hypercalls with INVLPG-like behavior to
invalidate TLB entries even after changes to non-leaf page tables.  Such
changes to non-leaf page tables will, however, also render stale
possible TLB entries created by Xen's internal use of linear page tables
to process guest requests like update-va-mapping.  Invalidation of these
TLB entries has been missing, allowing subsequent guest requests to
change address mappings for one process to potentially modify memory
meanwhile in use elsewhere.

IMPACT
======

Malicious x86 PV guest user mode may be able to escalate their privilege
to that of the guest kernel.

VULNERABLE SYSTEMS
==================

All versions of Xen expose the vulnerability.

The vulnerability is exposed to x86 PV guests only.  x86 HVM/PVH guests
as well as ARM ones are not vulnerable.

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

This issue was discovered by Jann Horn of Google Project Zero.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that these patches are known to produce serious performence
problems for at least some workloads.  Work is ongoing to improve the
performance, and this XSA will be updated when new patches are
available.

xsa286/*.patch           xen-unstable
xsa286-4.14/*.patch      Xen 4.14.x
xsa286-4.13/*.patch      Xen 4.13.x
xsa286-4.12/*.patch      Xen 4.12.x
xsa286-4.11/*.patch      Xen 4.11.x
xsa286-4.10/*.patch      Xen 4.10.x

$ sha256sum xsa286* xsa286*/*
e67a0828be2157c54282a4cc6956234581d32b793021e12ee61676bad4d3b740  xsa286.meta
95c1650a7e0496577929fd5d3240b14ab69e4086b613a52117fcfd879c9aea0d  xsa286-4.10/0001-x86-shadow-drop-further-32-bit-relics.patch
18218556f8f9218a57dc9afeffddeaa2133fbe2788871082d8b040ab67abb68c  xsa286-4.10/0002-x86-shadow-don-t-pass-wrong-L4-MFN-to-guest_walk_tab.patch
e8c89338a74b5fce9ee2c82e360889123afd7efe72536c236cf521c28e48ecc9  xsa286-4.10/0003-x86-shadow-don-t-use-map_domain_page_global-on-paths.patch
a677ddb308359450087c21085536d64a15d9339cd02a88eecd8d694c9d26837c  xsa286-4.10/0004-x86-don-t-allow-clearing-of-TF_kernel_mode-for-other.patch
927b68d2ffb4afb677b2f3d820f2e12ae61a37a2b4797fdc8316fe65adc0e46f  xsa286-4.10/0005-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch
9c6dfc0a2bf7408c1852de2410fecbaab48a4b885f8cf4836781d31727f0c69d  xsa286-4.10/0006-x86-mm-check-page-types-in-do_page_walk.patch
e4c0fcbfd558a95d52b5312902b10aced0dd8d23d1d1af5b3f7d39c3641010c4  xsa286-4.10/0007-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch
c0e481010cc801c1455008f52e5f2799240223dbfda2f252c872381d30f5af74  xsa286-4.10/0008-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch
89cf1192938027eaa7bb38dcbe268f54771bac0e107fa33f4f625c1fef3397c1  xsa286-4.10/0009-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch
6c01ba250ae9ffcd894f603d519bf3a170c92c9e0bc3bb7a79c3e67412ffcf35  xsa286-4.10/0010-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch
21d8f1f05a537bae19088ed28cfb8990c2c19f3f93fbe894f40b354ea7702d3a  xsa286-4.11/0001-x86-don-t-allow-clearing-of-TF_kernel_mode-for-other.patch
6e4023e7d366e53ccda8f80a4b36bd77f194b84ef0a30d1af6f18d56c11c5256  xsa286-4.11/0002-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch
aabccc3a6c267e41c3ac47916592ce645f6e6788cad900845dbf254801f9dd23  xsa286-4.11/0003-x86-mm-check-page-types-in-do_page_walk.patch
9bbc53a6533209f85edb005e8a517d5a80fda9db8af39b9378eba74857b9fa6b  xsa286-4.11/0004-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch
19f09374a4d3383eb1e5b9f0b465ff33e17f71fe7131e6cd61599ac9f79e8b00  xsa286-4.11/0005-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch
7b17dd013bdd9520a7c0cec2a6b56da677d980b982b6869865c99f374b3c1560  xsa286-4.11/0006-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch
c4c52a34efd14745a0a80f15a73daf7d7e72cfdf2925045a5ec1d22c798baaf2  xsa286-4.11/0007-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch
e831e18b528d845e3aef329df98244ebed1ade0388f1bfb083d8de626e148388  xsa286-4.12/0001-x86-don-t-allow-clearing-of-TF_kernel_mode-for-other.patch
9db102623f51bb5757fff3a2364a675893ca52e09f47868dad15ce1cb44c40a8  xsa286-4.12/0002-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch
3b0768c05123681db5256a96af3a8abe18e0a488b767183be728cb0a06969333  xsa286-4.12/0003-x86-mm-check-page-types-in-do_page_walk.patch
30342a0c11e0a48b50cd461b6388dce8640f6380cde1d738a3ddd8b95a8c7b1b  xsa286-4.12/0004-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch
3c1a687243e2df7b64a49279cd99ceabdcc00d9f48476faacd8915a9cc61e775  xsa286-4.12/0005-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch
c5aacc47b696b74e80e368c25f0deba20aa69e1de6823f334fddd6a40c6f6a22  xsa286-4.12/0006-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch
07e3f5bcbfbdec070e28fc1bd727b0eb7adc2a75c26636e081800e9939c9bcc2  xsa286-4.12/0007-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch
089d284b29b7179b5c9c04beaf90f24b4b79d81eb3bf55b607405755f3f8b6d8  xsa286-4.13/0001-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch
96a6391f2a027a034f0e3308119b2cc9b3543db985f9975067db42eb553d2ff9  xsa286-4.13/0002-x86-mm-check-page-types-in-do_page_walk.patch
4060ed8ef41314ddf413e307d39254a899a8e65bd28d5dcb6da73a0d922b5cfb  xsa286-4.13/0003-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch
38ed58aceaeb3ab4d9991f12ec11b1eaa0a6d4853023e0e59c0d92589ed112b6  xsa286-4.13/0004-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch
99a0afbc30acf6df26e152752bb65a1de33d9a0a45a5e7ad7693c01c1d1f53d6  xsa286-4.13/0005-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch
4ce310f802a3fcc55d704af755ef4f6d04e029cddc7df03827f7518d3a8faaf9  xsa286-4.13/0006-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch
36f1631c0880a615de48006fc5318c1b305be2ba5ed9c3cd0dd4ed82bd481bed  xsa286-4.14/0001-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch
4c10f102b71f26e86b2f5ef9d7bbb31000e389b64185cc23491a113311d70983  xsa286-4.14/0002-x86-mm-check-page-types-in-do_page_walk.patch
ee227e37cb6de2bed50395a72c6ce9493bdfc0018ed2dc70c81334c98751564d  xsa286-4.14/0003-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch
4892411356967838e49a5063e80f6169446e460bc3bee8765fe8f4852b801851  xsa286-4.14/0004-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch
e840cb758e21be76cfcbd85be82a23bb91e2766d435d314047a62e3b333b7dcb  xsa286-4.14/0005-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch
16763d9a407ae30d79e1f849d1ae1e03e9a1d5dca15181f5d53f49e4eb4708a2  xsa286-4.14/0006-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch
34c00849d8cf56897d5c17c65d83b9ef2f0ce849766c9d7ca07b56de4a4c1307  xsa286/0001-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch
b82ff481239b72f7b364cc4a66363a812a9205b3e605b215b2267cd6f13f9a06  xsa286/0002-x86-mm-check-page-types-in-do_page_walk.patch
527f7a74c0bee0f137b86b3b6475ff4648266f9dcaa5368df2f06b91efd9dbb8  xsa286/0003-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch
fd11aaacef7fd090fbc6409069b57d76a06a7e835b9a9eb5de8e15ace3ffb3e5  xsa286/0004-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch
dbfce6e2975d191b6568392593a835b5fc87d3869a5fad1917aecc11d1f2a62a  xsa286/0005-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch
5ad8a48a603b3fd195168d62d481516999422f86e5bbc65b01cde1ff1d262fb2  xsa286/0006-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl+OzqAMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZf44IAITjC6CiRoB4BdmqcMwpQ2bJbC/XqNN/xV/DXTsg
p0sv0w3lXQQIOIzR7UG70IlA2vjW9LNX6k6qjqDGpOJQn5d2Pbj4jFkd11kq24IK
PWuoxpswQRaVu0CU5aPvvtAIkOu9v0wZ6//M3cpe81h1Pl+Mg413SSArP6qRFjhY
tVdzlBzOwqXYMH5prlvWG+td43D6e5UeMPZM4o4Rkovdjk3QPkpsBrElnlZInmqH
ntbFSTCCUcIpaLRY88yPOksTHXxPtdrDh2l9okNYhLhf7Ywk0z1SWkiueazT15t4
ytDw6OdmYjajqFhI9+FvyYLRiQK+twl6iPUXKarqEQyBbEU=
=ori5
-----END PGP SIGNATURE-----

Download attachment "xsa286.meta" of type "application/octet-stream" (1579 bytes)

Download attachment "xsa286-4.10/0001-x86-shadow-drop-further-32-bit-relics.patch" of type "application/octet-stream" (4442 bytes)

Download attachment "xsa286-4.10/0002-x86-shadow-don-t-pass-wrong-L4-MFN-to-guest_walk_tab.patch" of type "application/octet-stream" (1491 bytes)

Download attachment "xsa286-4.10/0003-x86-shadow-don-t-use-map_domain_page_global-on-paths.patch" of type "application/octet-stream" (7189 bytes)

Download attachment "xsa286-4.10/0004-x86-don-t-allow-clearing-of-TF_kernel_mode-for-other.patch" of type "application/octet-stream" (2688 bytes)

Download attachment "xsa286-4.10/0005-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch" of type "application/octet-stream" (2201 bytes)

Download attachment "xsa286-4.10/0006-x86-mm-check-page-types-in-do_page_walk.patch" of type "application/octet-stream" (5307 bytes)

Download attachment "xsa286-4.10/0007-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch" of type "application/octet-stream" (3024 bytes)

Download attachment "xsa286-4.10/0008-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch" of type "application/octet-stream" (5826 bytes)

Download attachment "xsa286-4.10/0009-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch" of type "application/octet-stream" (4053 bytes)

Download attachment "xsa286-4.10/0010-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch" of type "application/octet-stream" (4421 bytes)

Download attachment "xsa286-4.11/0001-x86-don-t-allow-clearing-of-TF_kernel_mode-for-other.patch" of type "application/octet-stream" (2702 bytes)

Download attachment "xsa286-4.11/0002-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch" of type "application/octet-stream" (2201 bytes)

Download attachment "xsa286-4.11/0003-x86-mm-check-page-types-in-do_page_walk.patch" of type "application/octet-stream" (5279 bytes)

Download attachment "xsa286-4.11/0004-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch" of type "application/octet-stream" (3017 bytes)

Download attachment "xsa286-4.11/0005-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch" of type "application/octet-stream" (5819 bytes)

Download attachment "xsa286-4.11/0006-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch" of type "application/octet-stream" (4008 bytes)

Download attachment "xsa286-4.11/0007-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch" of type "application/octet-stream" (4427 bytes)

Download attachment "xsa286-4.12/0001-x86-don-t-allow-clearing-of-TF_kernel_mode-for-other.patch" of type "application/octet-stream" (2681 bytes)

Download attachment "xsa286-4.12/0002-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch" of type "application/octet-stream" (2201 bytes)

Download attachment "xsa286-4.12/0003-x86-mm-check-page-types-in-do_page_walk.patch" of type "application/octet-stream" (5279 bytes)

Download attachment "xsa286-4.12/0004-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch" of type "application/octet-stream" (3017 bytes)

Download attachment "xsa286-4.12/0005-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch" of type "application/octet-stream" (5819 bytes)

Download attachment "xsa286-4.12/0006-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch" of type "application/octet-stream" (4001 bytes)

Download attachment "xsa286-4.12/0007-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch" of type "application/octet-stream" (4427 bytes)

Download attachment "xsa286-4.13/0001-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch" of type "application/octet-stream" (2201 bytes)

Download attachment "xsa286-4.13/0002-x86-mm-check-page-types-in-do_page_walk.patch" of type "application/octet-stream" (5279 bytes)

Download attachment "xsa286-4.13/0003-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch" of type "application/octet-stream" (3017 bytes)

Download attachment "xsa286-4.13/0004-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch" of type "application/octet-stream" (5819 bytes)

Download attachment "xsa286-4.13/0005-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch" of type "application/octet-stream" (4001 bytes)

Download attachment "xsa286-4.13/0006-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch" of type "application/octet-stream" (4427 bytes)

Download attachment "xsa286-4.14/0001-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch" of type "application/octet-stream" (2201 bytes)

Download attachment "xsa286-4.14/0002-x86-mm-check-page-types-in-do_page_walk.patch" of type "application/octet-stream" (5279 bytes)

Download attachment "xsa286-4.14/0003-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch" of type "application/octet-stream" (3061 bytes)

Download attachment "xsa286-4.14/0004-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch" of type "application/octet-stream" (5863 bytes)

Download attachment "xsa286-4.14/0005-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch" of type "application/octet-stream" (4001 bytes)

Download attachment "xsa286-4.14/0006-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch" of type "application/octet-stream" (4427 bytes)

Download attachment "xsa286/0001-x86-mm-split-L4-and-L3-parts-of-the-walk-out-of-do_p.patch" of type "application/octet-stream" (2162 bytes)

Download attachment "xsa286/0002-x86-mm-check-page-types-in-do_page_walk.patch" of type "application/octet-stream" (5294 bytes)

Download attachment "xsa286/0003-x86-mm-avoid-using-linear-page-tables-in-map_guest_l.patch" of type "application/octet-stream" (3061 bytes)

Download attachment "xsa286/0004-x86-mm-avoid-using-linear-page-tables-in-guest_get_e.patch" of type "application/octet-stream" (5863 bytes)

Download attachment "xsa286/0005-x86-mm-avoid-using-top-level-linear-page-tables-in-u.patch" of type "application/octet-stream" (4000 bytes)

Download attachment "xsa286/0006-x86-mm-restrict-use-of-linear-page-tables-to-shadow-.patch" of type "application/octet-stream" (4427 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.