Headline
CVE-2020-29566: 348 - Xen Security Advisories
An issue was discovered in Xen through 4.14.x. When they require assistance from the device model, x86 HVM guests must be temporarily de-scheduled. The device model will signal Xen when it has completed its operation, via an event channel, so that the relevant vCPU is rescheduled. If the device model were to signal Xen without having actually completed the operation, the de-schedule / re-schedule cycle would repeat. If, in addition, Xen is resignalled very quickly, the re-schedule may occur before the de-schedule was fully complete, triggering a shortcut. This potentially repeating process uses ordinary recursive function calls, and thus could result in a stack overflow. A malicious or buggy stubdomain serving a HVM guest can cause Xen to crash, resulting in a Denial of Service (DoS) to the entire host. Only x86 systems are affected. Arm systems are not affected. Only x86 stubdomains serving HVM guests can exploit the vulnerability.
Information
Advisory
XSA-348
Public release
2020-12-15 12:00
Updated
2020-12-15 12:19
Version
3
CVE(s)
CVE-2020-29566
Title
undue recursion in x86 HVM context switch code
Filesadvisory-348.txt (signed advisory file)
xsa348.meta
xsa348-1.patch
xsa348-2.patch
xsa348-3.patch
xsa348-4.10.patch
xsa348-4.11.patch
xsa348-4.12.patch
xsa348-4.13-1.patch
xsa348-4.13-2.patch
xsa348-4.13-3.patchAdvisory
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Xen Security Advisory CVE-2020-29566 / XSA-348
version 3
undue recursion in x86 HVM context switch code
UPDATES IN VERSION 3
Public release.
ISSUE DESCRIPTION
When they require assistance from the device model, x86 HVM guests must be temporarily de-scheduled. The device model will signal Xen when it has completed its operation, via an event channel, so that the relevant vCPU is rescheduled.
If the device model were to signal Xen without having actually completed the operation, the de-schedule / re-schedule cycle would repeat. If, in addition, Xen is resignalled very quickly, the re-schedule may occur before the de-schedule was fully complete, triggering a shortcut. This potentially repeating process uses ordinary recursive function calls, so could result a stack overflow.
IMPACT
A malicious or buggy stubdomain serving a HVM guest can cause Xen to crash, resulting in a Denial of Service (DoS) to the entire host.
VULNERABLE SYSTEMS
All Xen versions are vulnerable.
Only x86 systems are affected. Arm systems are not affected.
Only x86 stubdomains serving HVM guests can exploit the vulnerability.
MITIGATION
Running only PV or PVH guests will avoid the vulnerability.
(Switching from a device model stub domain to a dom0 device model does NOT mitigate this vulnerability. Rather, it simply recategorises the vulnerability to hostile management code, regarding it "as designed"; thus it merely reclassifies these issues as "not a bug". The security of a Xen system using stub domains is still better than with a qemu-dm running as a dom0 process. Users and vendors of stub qemu dm systems should not change their configuration to use a dom0 qemu process.)
CREDITS
This issue was discovered by Julien Grall of Amazon.
RESOLUTION
Applying the appropriate (set of) attached patch(es) resolves this issue.
Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches.
xsa348-?.patch xen-unstable - Xen 4.14.x xsa348-4.13-?.patch Xen 4.13.x xsa348-4.12.patch Xen 4.12.x xsa348-4.11.patch Xen 4.11.x xsa348-4.10.patch Xen 4.10.x
$ sha256sum xsa348* f9606145cdbd3caacf6be7e5bcb62fc7d2c0b76572c1be26db608c5eac57ead0 xsa348.meta b619dac8453daa9f85526dec67ed67d999d182ccbc39b91be122b3365a0b5cb9 xsa348-1.patch 01b11ea3be160704c992187ad727ac1f03841cc452bbe2c142b53fddfa2da844 xsa348-2.patch 2c54474da9680625717e5a61b2a3a5ac23acad6f7bc0fcb306fe181fd0a38f1d xsa348-3.patch e2f4cbec1a763f045e827ececf13d06dedcc7cc49b42136160c8d986778529ae xsa348-4.10.patch 15d4f5fb894a45027f4a17a557d4fdb0a390575ab2c2d3aa2b265d3c6239c765 xsa348-4.11.patch 58b1a771dc720b1efb205a9d1baf46aea0205d4c65310e693dd2cfe7834cd8b9 xsa348-4.12.patch 1d181edd11f2437ff9298f9b5e81d75f5e5db8a79a8ce2c5aed0d75882473a0b xsa348-4.13-1.patch b68d3dfa2003a7444c165ab3639886b9b502c06cdfd4f43bea747d8fb14dc7cd xsa348-4.13-2.patch 67ecb0819041bf0b20a1af42970af72a15842571beb13cd0d740b0600e1aa2fd xsa348-4.13-3.patch $
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators.
But: Distribution of updated software is prohibited (except to other members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team.
(Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.)
For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/YqEoMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZHysH/RUkeyzKbsafoC4gOpdTKsbCOkR6U609yR5Gpv0G JjoeMculUV+4q4aEJVm+FoXpK2H526akTA9iZnfhxZH224/nJ/MuK8IYdCCUxAPH GTBa64RMTcl9lwHUZUOOWNFbEwTy7CiLBh+ccAi+o8BJGBDcXYFOtD5CerD08wFI HJ/OKa4a36q6YDbG5ESvPK+9KL7e/VM+4BUCtvrlQFMV/4zSiBh9rKLlJEa975zB NC4dZ6ZsM/uRV8s39WQ1ihz2ylAB0Ol/uemYCMWKZRscXxolKJdoWN5F5kpygj3n ETmwpMQSwDcG+yhIBMbJ3CnCguQzEIVyWs8Z7wPcFMZk9QQ= =UJMI -----END PGP SIGNATURE-----
Xenproject.org Security Team