Information

Advisory

XSA-339

Public release

2020-09-22 12:00

Updated

2020-09-22 13:36

Version

3

CVE(s)

CVE-2020-25596

Title

x86 pv guest kernel DoS via SYSENTER

Filesadvisory-339.txt (signed advisory file)
xsa339.meta
xsa339.patchAdvisory

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

        Xen Security Advisory CVE-2020-25596 / XSA-339
                           version 3

             x86 pv guest kernel DoS via SYSENTER

UPDATES IN VERSION 3

Public release.

ISSUE DESCRIPTION

The SYSENTER instruction leaves various state sanitization activities to software. One of Xen’s sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest.

This causes the guest kernel to observe a kernel-privilege #GP fault (typically fatal) rather than a user-privilege #GP fault (usually converted into SIGSEGV/etc).

IMPACT

Malicious or buggy userspace can crash the guest kernel, resulting in a VM Denial of Service.

VULNERABLE SYSTEMS

All versions of Xen from 3.2 onwards are vulnerable.

Only x86 systems are vulnerable. ARM platforms are not vulnerable.

Only x86 systems which support the SYSENTER instruction in 64bit mode are vulnerable. This is believed to be Intel, Centaur and Shanghai CPUs. AMD and Hygon CPUs are not believed to be vulnerable.

Only x86 PV guests can exploit the vulnerability. x86 PVH / HVM guests cannot exploit the vulnerability.

MITIGATION

Running only x86 PVH / HVM guests avoids the vulnerability.

CREDITS

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION

Applying the attached patch resolves this issue.

Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches.

xsa339.patch Xen 4.10 - xen-unstable

$ sha256sum xsa339* 5cece13878cc40b32bc5753c0ef64f989f9b1c7f9549d62ea4fcd06e9620de9e xsa339.meta b6ffa7671d905aa12498ad64915be3b7cba74ce1c5bf6bce18b1f106ebf6d715 xsa339.patch $

DEPLOYMENT DURING EMBARGO

Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators.

But: Distribution of updated software is prohibited (except to other members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team.

(Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.)

For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl9p/ecMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZgEUH/1/5DUgXRKzwvYuERdBintUdCUaezYpjY0VEJ/v5 nPXEZDDkBFZZxtWmLg6gqMsJg4O6npTcZ6Z3ZpP8xTiRexr0fHHRY5FHqOCW0aS+ c0WYQzSvfDW1L/m9fjwsbFKKRCmrwE24L/Jc7GZJlpps22f1mZpn3cwsjidlofHi WxqpdAPNDLsPDF3+iwt5a8gL3onyeo03MaBhO29UAJIKCo4hxiKu5/e3upXFBdN2 Z4Pyr79E51SiCGxZ/A1NTil9+FyYkP1DgBQdJ6pVrxMnZUhdcjbGLEbrUNaTfgox yORU8rE3XS2ZajRpW3D2CIGnKJj3zGWaQqx+FufX1m6Y8qE= =tkQp -----END PGP SIGNATURE-----

Xenproject.org Security Team