Xen Security Advisory 275 v3 (CVE-2018-19961, CVE-2018-19962) - insufficient TLB flushing / improper large page mappings with AMD IOMMUs
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2018-19961,CVE-2018-19962 / XSA-275
insufficient TLB flushing / improper large page mappings with AMD IOMMUs
UPDATES IN VERSION 3
In order to be certain that no undue access to memory is possible
anymore after IOMMU mappings of this memory have been removed,
Translation Lookaside Buffers (TLBs) need to be flushed after most
changes to such mappings. Xen bypassed certain IOMMU flushes on AMD
x86 hardware. (CVE-2018-19961)
Furthermore logic exists Xen to re-combine small page mappings
into larger ones. Such re-combination could have occured in cases
when it was not really safe/correct to do so. (CVE-2018-19962)
A malicious or buggy guest may be able to escalate its privileges, may
cause a Denial of Service (DoS) affecting the entire host, or may be
able to access data it is not supposed to access (information leak).
Xen versions from at least 3.2 onwards are affected. Note that the
situation is worse in 4.1 and earlier, in that there's no flushing of
the TLB at all.
Only systems with AMD x86 hardware with enabled IOMMU are affected.
ARM and Intel x86 systems, and AMD x86 systems without enabled IOMMU,
are not affected.
Only systems where physical PCI devices are assigned to untrusted guests
There is no known mitigation for affected system/guest combinations.
This issue was discovered by Paul Durrant of Citrix.
Applying the appropriate set of attached patches resolves this issue.
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)