Xen Security Advisory 252 (CVE-2018-7540) - DoS via non-preemptable L3/L4 pagetable freeing
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2018-7540 / XSA-252
DoS via non-preemptable L3/L4 pagetable freeing
UPDATES IN VERSION 3
Guests have the ability to request removal of memory from themselves.
This operation is intended to be requested for normal read/write pages,
but is also permitted to be used on other types of pages. So far this
in particular included pages pinned to their current type, with the
necessary unpinning happening implicitly. The unpinning of higher level
page tables can, however, take a significant amount of time, and hence
is generally expected to be carried out with intermediate preemption
checks. Such checks were missing from the code path involved here.
A malicious guest administrator can cause a Denial of Service (DoS).
Specifically, prevent use of a physical CPU for a significant period of
All Xen versions are vulnerable.
Only x86 systems are affected. ARM systems are not affected.
Only PV guests can leverage this vulnerability. HVM guests cannot
leverage this vulnerability.
Running only HVM guests will avoid this issue.
This issue was discovered by Jann Horn of Google Project Zero.
Applying the appropriate attached patch resolves this issue.
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)