Information

Advisory

XSA-336

Public release

2020-09-22 12:00

Updated

2020-09-22 13:36

Version

3

CVE(s)

CVE-2020-25604

Title

race when migrating timers between x86 HVM vCPU-s

Filesadvisory-336.txt (signed advisory file)
xsa336.meta
xsa336.patch
xsa336-4.11.patchAdvisory

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

        Xen Security Advisory CVE-2020-25604 / XSA-336
                           version 3

       race when migrating timers between x86 HVM vCPU-s

UPDATES IN VERSION 3

Public release.

ISSUE DESCRIPTION

When migrating timers of x86 HVM guests between its vCPU-s, the locking model used allows for a second vCPU of the same guest also operating on the timers to release a lock that it didn’t acquire.

IMPACT

The most likely effect of the issue is a hang or crash of the hypervisor, i.e. a Denial of Service (DoS).

VULNERABLE SYSTEMS

All versions of Xen are affected.

Only x86 systems are vulnerable. Arm systems are not vulnerable.

Only x86 HVM guests can leverage the vulnerability. x86 PV and PVH cannot leverage the vulnerability.

Only guests with more than one vCPU can exploit the vulnerability.

MITIGATION

Running only PV and PVH guests will avoid the vulnerability.

CREDITS

This issue was discovered by Igor Druzhinin of Citrix.

RESOLUTION

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches.

xsa336.patch Xen 4.12 - xen-unstable xsa336-4.11.patch Xen 4.10 - 4.11

$ sha256sum xsa336* 6cb13a54c2b0fcb6948a1c4045095da4e43aad262a1dd8993ea2a3bd90d4c72d xsa336.meta ecb59876fb92cfe0916ed5f3227a30efe038224c1f6ec36bc3706c4e2214552c xsa336.patch c0c7983bfd70eb54277af9fddfcc3cc95bbd745d92d9ffb71d5b32281c437510 xsa336-4.11.patch $

DEPLOYMENT DURING EMBARGO

Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators.

But: Distribution of updated software is prohibited (except to other members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team.

(Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.)

For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl9p/eYMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZe28H/3oTZLe4eVhykU7a+BbN7ENJ2WMYsj0VM5wUiQyK ZrY3CnbO0ne6h0BeAgSNG1XRP9QvwJLOIm6gZkqoNCWyJK2IbCO/mlF4czBlpUBR FtM2wJz4FLzkiYMozk8TOZk6pCW6gaqxNiYr2L/3ijh2PQCMwnte/u+T3mZAAWxB nJbVnwux26nvRY/5XBZ7cZ/Qxi1DKed2cyf2A9oZ/AmGIMBT2r6SZ+arf+d4jHRG yQok+7gdXr1lOL/pPZZWepHtbPJMrrYxQZN/zKGt20c9ksBLiOyyQxTO4tegLx7N PxRgzy+DgY+xqYFA68xpM6jJxfWYmHpjAtbYtQoPvyPsIag= =0Kkw -----END PGP SIGNATURE-----

Xenproject.org Security Team