Headline
CVE-2019-17346: 292 - Xen Security Advisories
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because of an incompatibility between Process Context Identifiers (PCID) and TLB flushes.
Information
Advisory
XSA-292
Public release
2019-03-05 12:00
Updated
2019-10-25 11:09
Version
3
CVE(s)
CVE-2019-17346
Title
x86: insufficient TLB flushing when using PCID
Filesadvisory-292.txt (signed advisory file)
xsa292.meta
xsa292.patchAdvisory
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Xen Security Advisory CVE-2019-17346 / XSA-292
version 3
x86: insufficient TLB flushing when using PCID
UPDATES IN VERSION 3
CVE assigned.
ISSUE DESCRIPTION
Use of Process Context Identifiers (PCID) was introduced into Xen in order to improve performance after XSA-254 (and in particular its Meltdown sub-issue). This enablement implied changes to the TLB flushing logic. The particular case of context switch to a vCPU of a PCID-enabled guest left open a time window between the full TLB flush, and the actual address space switch, during which additional TLB entries (from the address space about to be switched away from) can be accumulated, which will not subsequently be purged.
IMPACT
Malicious PV guests may be able to cause a host crash (Denial of Service) or to gain access to data pertaining to other guests. Privilege escalation opportunities cannot be ruled out.
Additionally, vulnerable configurations are likely to be unstable even in the absence of an attack.
VULNERABLE SYSTEMS
Only x86 systems are vulnerable. ARM systems are not vulnerable.
Only systems running x86 PV guests are vulnerable. Systems running only x86 HVM or PVH guests are not vulnerable.
Only systems with at least one PCID-enabled PV guest are vulnerable.
Systems where PCID or INVPCID are unavailable or entirely disabled are not vulnerable.
Note that PCID is enabled by default for both 64-bit dom0 and 64-bit domU when hardware supports it. PCID acceleration has been backported to the following versions:
- Xen 4.11.x,
- Xen 4.10.2 and onwards,
- Xen 4.9.3 and onwards,
- Xen 4.8.4 and onwards,
- Xen 4.7.6.
To exploit this vulnerability, problematic TLB entries must be created between the full TLB flush and the address space switch. The NMI watchdog handler (enabled via the “watchdog” command line option) is known to create such entries; other vectors cannot be ruled out.
MITIGATION
Running only HVM or PVH guests will avoid this vulnerability.
Running only 32-bit PV guests alongside the other two types mentioned above will also avoid this vulnerability, provided Dom0 is also 32-bit or is not using PCID. Making a 64-bit Dom0 not use PCID can be achieved by e.g. "xpti=no-dom0 pcid=xpti".
Disabling use of PCID entirely, by passing “pcid=0” or “invpcid=0” as a command line option to the hypervisor, will also avoid this vulnerability (albeit re-introducing the XPTI performance regression use of PCID was intended to reduce).
Disabling the watchdog timer will remove the only known way of reliably creating problematic TLB entries, potentially reducing the risk of a successful attack.
CREDITS
This issue was discovered by Sergey Dyasli and Andrew Cooper of Citrix.
RESOLUTION
Applying the attached patch resolves this issue.
xsa292.patch xen-unstable, Xen 4.11.x … Xen 4.7.6
$ sha256sum xsa292* c515e98e5ae8a16bc5c894741eea5523a7e568f81ee8a570626dcc0f58f40b40 xsa292.meta f42cb5e1eae5a5c6f0fd84e38df4db9f09a4e1176905c37f292fef9855c82fea xsa292.patch $
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators.
But: Distribution of updated software is prohibited (except to other members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team.
(Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.)
For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2y1+cMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZV48H/i1Wi6DV90quHvewv0j792crdJojnHgq/8V3+hfT lXWcmfW5IQLi02o4aG7XjUYwRTQ6clRgF4AZDZyrAY15QyVCz9diusvWOUzaq7Pd hrvuIMeaB3+ba2OY7bB3P0sCekhhj6MwqKEhGVlbLEB8A0vGq9XjZBuTmws6QA2J 6Il8fxEVupdtETsf3KlYfxvJOubN/B+tByaIpdWU0C2M66EVa4pcijSLcvoylGxi YS7jJrSMcqg4Sx/e/HnzCJ7jrvzhxSDHeyhPy1/NrwlQz2NQjd+FoFownsH48LuH 6LA6GGTIk5v+a/GtNVpb8Wwfg0UleabF+8S30C6QasUO70E= =Pk5K -----END PGP SIGNATURE-----
Xenproject.org Security Team