Xen Security Advisory 243 - x86: Incorrect handling of self-linear shadow mappings with translated guests

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Xen Security Advisory 243 - x86: Incorrect handling of self-linear shadow mappings with translated guests

Xen.org security team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-243
                              version 3

 x86: Incorrect handling of self-linear shadow mappings with translated guests

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The shadow pagetable code uses linear mappings to inspect and modify the
shadow pagetables.  A linear mapping which points back to itself is known as
self-linear.  For translated guests, the shadow linear mappings (being in a
separate address space) are not intended to be self-linear.  For
non-translated guests, the shadow linear mappings (being the same
address space) are intended to be self-linear.

When constructing a monitor pagetable for Xen to run on a vcpu with, the shadow
linear slot is filled with a self-linear mapping, and for translated guests,
shortly thereafter replaced with a non-self-linear mapping, when the guest's
%cr3 is shadowed.

However when writeable heuristics are used, the shadow mappings are used as
part of shadowing %cr3, causing the heuristics to be applied to Xen's
pagetables, not the guest shadow pagetables.

While investigating, it was also identified that PV auto-translate mode was
insecure.  This mode was removed in Xen 4.7 due to being unused, unmaintained
and presumed broken.  We are not aware of any guest implementation of PV
auto-translate mode.

IMPACT
======

A malicious or buggy HVM guest may cause a hypervisor crash, resulting in a
Denial of Service (DoS) affecting the entire host, or cause hypervisor memory
corruption.  We cannot rule out a guest being able to escalate its privilege.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

HVM guests using shadow mode paging can exploit this vulnerability.
HVM guests using Hardware Assisted Paging (HAP) as well as PV guests
cannot exploit this vulnerability.

ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

Where the HVM guest is explicitly configured to use shadow paging (eg
via the `hap=0' xl domain configuration file parameter), changing to
HAP (eg by setting `hap=1') will avoid exposing the vulnerability to
those guests.  HAP is the default (in upstream Xen), where the
hardware supports it; so this mitigation is only applicable if HAP has
been disabled by configuration.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa243.patch             xen-unstable, Xen 4.9.x
xsa243-4.8.patch         Xen 4.8.x
xsa243-4.7.patch         Xen 4.7.x
xsa243-4.6-[1,2].patch   Xen 4.6.x
xsa243-4.{6-1,5-2}.patch Xen 4.5.x

$ sha256sum xsa243*
61b05e2d6655f5d18cd53b16e03499152c603162584f64d68fad31b088cc5cd2  xsa243.meta
a5b484db80346f7e75c7921ee4780567f04b9f9b4620c0cde4bfa1df3ac0f87f  xsa243.patch
79e1c5e088eee8e78aa67895a29d611352c64251854e4c5129e33c85988a47a5  xsa243-4.5-2.patch
722073aad1e734e24b0b79d03a1957e491f3616fe6e244a89050f7a50f8f356b  xsa243-4.6-1.patch
94cb346c486f88f2f4f701564017e1997e518a5a14218f0e38ff882c60fb382c  xsa243-4.6-2.patch
465ba9e3293591a3c84c122ffd73474fe96483f5e21565440d5fbc207fa4c4a9  xsa243-4.7.patch
f8e471b42502905a442d43934ac339663a6124118c9762b31f2ad930fd532e64  xsa243-4.8.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJZ31wCAAoJEIP+FMlX6CvZfZIH/i6Ict2HQ3HPT8yLY6e+Lab4
XXRUutCRqiBYoxes4vsOs8SqVEBQ/AI/Ds5jpByNQqUrK/dH7CdTOthy3bsOSmHQ
UcUveuMyJ7IDCjJhFYmIA6o7Bc1OiBDoA3yg1pFn4tb1eAn/3mq4OCSNhqnCPiFy
MxnsQ023yCLUdHwPvNagLOwycOelD1CdZQPae8e1fuasABJfuTZ+MdREMcsJWfOo
rcH5++We9yWKttJqV9om7NsyEBdiQYRJHepJb0dJwm+ZMp46A5NaqNd6/PpFmoP9
L7sgweOd/Z2taJOrDiSTAuaoKuxA0sZstUaE+BCb7Xp2aqFmnSp85gsaqdvAkCs=
=ktEr
-----END PGP SIGNATURE-----

_______________________________________________
Xen-announce mailing list
[hidden email]
https://lists.xen.org/xen-announce

xsa243.meta (3K) Download Attachment
xsa243.patch (5K) Download Attachment
xsa243-4.5-2.patch (5K) Download Attachment
xsa243-4.6-1.patch (1K) Download Attachment
xsa243-4.6-2.patch (5K) Download Attachment
xsa243-4.7.patch (5K) Download Attachment
xsa243-4.8.patch (5K) Download Attachment