Headline
CVE-2020-29567: 356 - Xen Security Advisories
An issue was discovered in Xen 4.14.x. When moving IRQs between CPUs to distribute the load of IRQ handling, IRQ vectors are dynamically allocated and de-allocated on the relevant CPUs. De-allocation has to happen when certain constraints are met. If these conditions are not met when first checked, the checking CPU may send an interrupt to itself, in the expectation that this IRQ will be delivered only after the condition preventing the cleanup has cleared. For two specific IRQ vectors, this expectation was violated, resulting in a continuous stream of self-interrupts, which renders the CPU effectively unusable. A domain with a passed through PCI device can cause lockup of a physical CPU, resulting in a Denial of Service (DoS) to the entire host. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only guests with physical PCI devices passed through to them can exploit the vulnerability.
Information
Advisory
XSA-356
Public release
2020-12-15 12:00
Updated
2020-12-15 12:19
Version
3
CVE(s)
CVE-2020-29567
Title
infinite loop when cleaning up IRQ vectors
Filesadvisory-356.txt (signed advisory file)
xsa356.meta
xsa356.patchAdvisory
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Xen Security Advisory CVE-2020-29567 / XSA-356
version 3
infinite loop when cleaning up IRQ vectors
UPDATES IN VERSION 3
Public release.
ISSUE DESCRIPTION
When moving IRQs between CPUs to distribute the load of IRQ handling, IRQ vectors are dynamically allocated and de-allocated on the relevant CPUs. De-allocation has to happen when certain constraints are met. If these conditions are not met when first checked, the checking CPU may send an interrupt to itself, in the expectation that this IRQ will be delivered only after the condition preventing the cleanup has cleared. For two specific IRQ vectors this expectation was violated, resulting in a continuous stream of self-interrupts, which renders the CPU effectively unusable.
IMPACT
A domain with a passed through PCI device can cause lockup of a physical CPU, resulting in a Denial of Service (DoS) to the entire host.
VULNERABLE SYSTEMS
Only Xen 4.14 is affected. Xen versions 4.13 and older are not affected.
Only x86 systems are vulnerable. Arm systems are not vulnerable.
Only guests with physical PCI devices passed through to them can exploit the vulnerability.
MITIGATION
There is no known mitigation.
CREDITS
This issue was discovered by Roger Pau Monné of Citrix.
RESOLUTION
Applying the attached patch resolves this issue.
Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches.
xsa356.patch xen-unstable - Xen 4.14.x
$ sha256sum xsa356* 77316e3b86e2482ee9741db7484d323a399028762af1c88734f8c83e78069fb3 xsa356.meta 21c217e41549bf74d5fcc26f1d23b6d902c5c72de5e2c8490842aea9f999b036 xsa356.patch $
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators.
But: Distribution of updated software is prohibited (except to other members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team.
(Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.)
For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/YqeAMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZv4cIAIdqAn7O/TicwVod/L1Lktuk94g73LQlhRxMFnQ2 CoFrIBJtvyFq0m0OqRcVav3hb8wa7EdbmbJXgvoC4emKUcIcUkMA/dyvUi9SKdGP 5iQDL0Vsasq7rQN5vjuUA6KIDp4qyT87mxNLUwMzwrXDORFHT9YZO/SZLY37WU7S UX0qaDh9FpwtdB4nDULqNimAZcy1yonXkD8bb6jDmHIeTx33cfe4BNvYqApwTPD8 fxctAlsYHLuwfnEBdQ+cadfcjF/PqkRcsGtMk6hGRn2hEscEfHWMH9I/R9lZvyj5 CjfFKzb2WpDu3KUuJJJBTavkZ97Bs+flVNGLrQ/AgKoitQs= =vDoA -----END PGP SIGNATURE-----
Xenproject.org Security Team