Headline
CVE-2019-17348: 294 - Xen Security Advisories
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service because of an incompatibility between Process Context Identifiers (PCID) and shadow-pagetable switching.
Information
Advisory
XSA-294
Public release
2019-03-05 12:00
Updated
2019-10-25 11:09
Version
3
CVE(s)
CVE-2019-17348
Title
x86 shadow: Insufficient TLB flushing when using PCID
Filesadvisory-294.txt (signed advisory file)
xsa294/4.7.patch
xsa294/4.8.patch
xsa294/4.9.patch
xsa294/4.10.patch
xsa294/4.11.patch
xsa294/unstable.patchAdvisory
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Xen Security Advisory CVE-2019-17348 / XSA-294
version 3
x86 shadow: Insufficient TLB flushing when using PCID
UPDATES IN VERSION 3
CVE assigned.
ISSUE DESCRIPTION
Use of Process Context Identifiers (PCID) was introduced into Xen in order to improve performance after XSA-254 (and in particular its Meltdown sub-issue). This enablement implied changes to the TLB flushing logic. One aspect which was overlooked is the safety of switching between shadow pagetables, which previously relied on the unconditional flushing of a write to CR3.
With PCID enabled, a switch of shadow pagetable for a 64bit PV guest fails to invalidate the linear mappings of the previous shadow pagetable. As a result, subsequent accesses to the shadow pagetables may be deemed to be safe by the shadow logic (based on the old shadow pagetable) but fault when made in practice.
IMPACT
Malicious 64bit PV guests may be able to cause a host crash (Denial of Service).
Additionally, vulnerable configurations are unstable even in the absence of an attack.
VULNERABLE SYSTEMS
Only x86 systems are vulnerable. ARM systems are not vulnerable.
Only systems running 64-bit x86 PV guests are vulnerable. Systems running only x86 HVM or PVH or 32bit PV guests are not vulnerable.
Only systems with at least one PCID-enabled PV guest are vulnerable.
Systems where PCID or INVPCID are unavailable or entirely disabled are not vulnerable.
Note that PCID is enabled by default for both 64-bit dom0 and 64-bit domU when hardware supports it. PCID acceleration has been backported to the following versions:
- Xen 4.11.x,
- Xen 4.10.2 and onwards,
- Xen 4.9.3 and onwards,
- Xen 4.8.4 and onwards,
- Xen 4.7.6.
MITIGATION
Running only HVM or PVH guests will avoid this vulnerability.
Disabling use of PCID entirely, by passing “pcid=0” or “invpcid=0” as a command line option to the hypervisor, will also avoid this vulnerability (albeit re-introducing the XPTI performance regression use of PCID was intended to reduce).
CREDITS
This issue was discovered by Jan Beulich of SUSE.
RESOLUTION
Applying the appropriate attached patch resolves this issue.
xsa294/unstable.patch xen-unstable xsa294/4.11.patch Xen 4.11.x xsa294/4.10.patch Xen 4.10.x xsa294/4.9.patch Xen 4.9.x xsa294/4.8.patch Xen 4.8.x xsa294/4.7.patch Xen 4.7.x
$ sha256sum xsa294*/* c10b7b79a2067cc6d95e40bc78ee8fddaf31f8614bb183fdd5f00e4272e08a0e xsa294/4.7.patch 3ac1c3caf01feaf341e977fcbae691f2e4425aa9691f2dfa66795acfe823d76e xsa294/4.8.patch a8dfc8b2d2f0d0865b70fb0051f9d5a80a6c7456d004957a0155d989ec875611 xsa294/4.9.patch c6fe1e0173b665a88cbab423737dcb060eed1f634f9bca880d9ddfa2ac855d03 xsa294/4.10.patch 61a341510f45c0cf63a7438645f5c2b3ab1cd72bc2476e5fad331e322f834f4a xsa294/4.11.patch 1fb22eab53f9b1e93fc25f5a08d37121a9278854174f1fbd495b3fe6e8babf3a xsa294/unstable.patch $
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators.
But: Distribution of updated software is prohibited (except to other members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team.
(Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.)
For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2y1/cMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZH54H/iShmv1F1GDALKhJJdm+BOEtyVy+ZCFU5Atn97dV 3Bm+3BtX1Nfcd1pnLdzQs0ocasw+FSp0Swq93nrpM8hPK9ze4aAKwo/Srhf/WV2/ V9N5lKwxCUub6p2QbAcqj//zLxv0llkhduVGzV9/NXOzeLn5Rp2Af/rgSchQ4QHp oEdHXNV93Pm1pi4NpCu8uXQAW4Mp7rRiWJPuBkuJDhgVftXItSNMc6jLunJS581X z+3SmLpfF3IDVpa5GqjtFJ3Exk9DJe4oYHZPmb2qwJTsfV20emIc/7mARGErgdwT jpRjss41gJX1l41zRF9mwKPc1qPW6Rc9xgh6q1jrjY1CCvk= =TV/a -----END PGP SIGNATURE-----
Xenproject.org Security Team