-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2019-19577 / XSA-311
Bugs in dynamic height handling for AMD IOMMU pagetables
UPDATES IN VERSION 4
Re-base 4.12 patch onto latest stable tree commits.
Updated metadata to add 4.13, update StableRef's
When running on AMD systems with an IOMMU, Xen attempted to
dynamically adapt the number of levels of pagetables (the pagetable
height) in the IOMMU according to the guest's address space size. The
code to select and update the height had several bugs.
Notably, the update was done without taking a lock which is necessary
for safe operation.
A malicious guest administrator can cause Xen to access data
structures while they are being modified, causing Xen to crash.
Privilege escalation is thought to be very difficult but cannot be
Additionally, there is a potential memory leak of 4kb per guest boot,
under memory pressure.
Only Xen on AMD CPUs is vulnerable. Xen running on Intel CPUs is not
vulnerable. ARM systems are not vulnerable.
Only systems where guests are given direct access to physical devices
are vulnerable. Systems which do not use PCI pass-through are not
Only HVM guests can exploit the vulnerability. PV and PVH guests
All versions of Xen with IOMMU support are vulnerable.
In some configurations, use of passthrough can be replaced with a
higher-level protocol such as Xen PV block or network devices.
There is no other mitigation.
This issue was discovered by Sander Eikelenboom, along with Andrew Cooper of
Applying the appropriate (set of) attached patch(es) resolves this issue.
xsa311.patch xen-unstable, Xen 4.13.x
xsa311-4.12.patch Xen 4.12.x
xsa311-4.11.patch Xen 4.11.x
xsa311-4.10-*.patch Xen 4.10.x
xsa311-4.9-*.patch Xen 4.9.x
xsa311-4.8-*.patch Xen 4.8.x
$ sha256sum xsa311*
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Xen-announce mailing list
xsa311.meta (3K) Download Attachment
xsa311.patch (10K) Download Attachment
xsa311-4.8-1.patch (4K) Download Attachment
xsa311-4.8-2.patch (10K) Download Attachment
xsa311-4.9-1.patch (4K) Download Attachment
xsa311-4.9-2.patch (10K) Download Attachment
xsa311-4.10-1.patch (4K) Download Attachment
xsa311-4.10-2.patch (9K) Download Attachment
xsa311-4.11.patch (9K) Download Attachment
xsa311-4.12.patch (10K) Download Attachment
|Free forum by Nabble||Edit this page|