Headline
CVE-2020-15563: 319 - Xen Security Advisories
An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. An inverted conditional in x86 HVM guests’ dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. A malicious or buggy HVM guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Xen versions from 4.8 onwards are affected. Xen versions 4.7 and earlier are not affected. Only x86 systems are affected. Arm systems are not affected. Only x86 HVM guests using shadow paging can leverage the vulnerability. In addition, there needs to be an entity actively monitoring a guest’s video frame buffer (typically for display purposes) in order for such a guest to be able to leverage the vulnerability. x86 PV guests, as well as x86 HVM guests using hardware assisted paging (HAP), cannot leverage the vulnerability.
Information
Advisory
XSA-319
Public release
2020-07-07 12:00
Updated
2020-07-07 12:18
Version
3
CVE(s)
CVE-2020-15563
Title
inverted code paths in x86 dirty VRAM tracking
Filesadvisory-319.txt (signed advisory file)
xsa319.meta
xsa319.patchAdvisory
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Xen Security Advisory CVE-2020-15563 / XSA-319
version 3
inverted code paths in x86 dirty VRAM tracking
UPDATES IN VERSION 3
Public release.
ISSUE DESCRIPTION
An inverted conditional in x86 HVM guests’ dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space.
IMPACT
A malicious or buggy HVM guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host.
VULNERABLE SYSTEMS
Xen versions from 4.8 onwards are affected. Xen versions 4.7 and earlier are not affected.
Only x86 systems are affected. Arm systems are not affected.
Only x86 HVM guests using shadow paging can leverage the vulnerability. In addition there needs to be an entity actively monitoring a guest’s video frame buffer (typically for display purposes) in order for such a guest to be able to leverage the vulnerability. x86 PV guests as well as x86 HVM guest using hardware assisted paging (HAP) cannot leverage the vulnerability.
MITIGATION
Running only PV guests will avoid the vulnerability.
For HVM guest explicitly configured to use shadow paging (e.g. via the `hap=0’ xl domain configuration file parameter), changing to HAP (e.g. by setting `hap=1’) will avoid exposing the vulnerability to those guests. HAP is the default (in upstream Xen), where the hardware supports it; so this mitigation is only applicable if HAP has been disabled by configuration.
CREDITS
This issue was discovered by Jan Beulich of SUSE.
RESOLUTION
Applying the attached patch resolves this issue.
Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches.
xsa319.patch xen-unstable, 4.13 - 4.9
$ sha256sum xsa319* 1fe0dc2e274776b8e1275f85129280f280f94ca4eabe6a8166113283dad93ed8 xsa319.meta c145f394f8ac7d8838c376a97e1850c4125c12e478fc66ebe025ae397b27e6ea xsa319.patch $
DEPLOYMENT DURING EMBARGO
Deployment of the patch described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators.
HOWEVER deployment of the “use HAP mode” mitigation described above is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted.
This is because in that case the configuration change can be observed by guests, which could lead to the rediscovery of the vulnerability.
But: Distribution of updated software is prohibited (except to other members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team.
(Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.)
For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl8EZ/sMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ75YH/jX/sAs0icOgBtHkwVZHg318OBExxt9x+ehk/pxb i+1ZlS/IrJ8eJdHJYq8HYvAlxmtmFP1I0t+C9vmwbP4QMcR++RmKgdJI4+/sqCsB AMEnK+cVJSbHxD7y7eW2CPuU3h0cKx0H24JgtzA2ONse7dVz7RN+oa97D5IKryTL cBW8WroMn2InbKMCUy/5zj89NLAlbSuWSVZzQidDwzTITukzhZZ7Xw0+Q2yh1nkK S4kcmz7Bzzd5Mc1gFr1Eh1FxfmVVl5RxwDE//3a5VbmfPVo/f0kMOIWjXVd1R1dj x78SPrPojOAZbb8+f1LYqHmqzCgzvpa4EFbsOnsB7CBmP2Q= =bDFh -----END PGP SIGNATURE-----
Xenproject.org Security Team