Headline
CVE-2020-29040: 355 - Xen Security Advisories
An issue was discovered in Xen through 4.14.x allowing x86 HVM guest OS users to cause a denial of service (stack corruption), cause a data leak, or possibly gain privileges because of an off-by-one error. NOTE: this issue is caused by an incorrect fix for CVE-2020-27671.
Information
Advisory
XSA-355
Public release
2020-11-24 12:00
Updated
2021-01-19 16:24
Version
3
CVE(s)
CVE-2020-29040
Title
stack corruption from XSA-346 change
Filesadvisory-355.txt (signed advisory file)
xsa355.meta
xsa355.patchAdvisory
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Xen Security Advisory CVE-2020-29040 / XSA-355
version 3
stack corruption from XSA-346 change
UPDATES IN VERSION 3
CVE assigned.
ISSUE DESCRIPTION
One of the two changes for XSA-346 introduced an on-stack array. The check for guarding against overrunning this array was off by one, allowing for corruption of the first stack slot immediately following this array.
IMPACT
A malicious or buggy HVM or PVH guest can cause Xen to crash, resulting in a Denial of Service (DoS) to the entire host. Privilege escalation as well as information leaks cannot be excluded.
VULNERABLE SYSTEMS
All Xen versions which have the patches for XSA-346 applied are vulnerable.
Only x86 HVM and PVH guests can leverage the vulnerability. Arm guests and x86 PV guests cannot leverage the vulnerability.
Only x86 HVM and PVH guests which have physical devices passed through to them can leverage the vulnerability.
MITIGATION
Not passing through physical devices to untrusted guests will avoid the vulnerability.
CREDITS
This issue was discovered by Jan Beulich of SUSE.
RESOLUTION
Applying the attached patch resolves this issue.
Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches.
xsa355.patch xen-unstable - Xen 4.10.x
$ sha256sum xsa355* a93bfc376897e7cffd095d395f1a66476adb9503d7d80a59b7861e64c2675323 xsa355.meta dae633c11cf2eff3e304737265e18ab09213e8e4640458080a944ae7a40819a4 xsa355.patch $
NOTE CONCERNING SHORT EMBARGO
This issue is likely to be re-discovered as the changes for XSA-346 are deployed more widely, since the issue is also triggerable without any malice or bugginess.
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators.
But: Distribution of updated software is prohibited (except to other members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team.
(Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.)
For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAHB6UMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZpMAH/AwWuyJ0tQS95kJmfCSe9gxFkIZwnoOlxAIF1fQ8 0W7OXmgrr9giz3lVR6Kjannq3HextHuLoVttg3soJ6pCqPBOH84/k0vyHEb9ChBF ypkvH0iG1wnpVo+DdYOnY7OnaBHrPsB0E83WfKohP05e+Ymcroq09vKw02fR6B+z +D3uNzbNi1kZz1DcTZFsCAmHJsc3zS+D8jyEwOFQwlVckugJ+zDuylKtSDau56CN WGG3nkoDldWm1687ui4stnal8WIBP6sMgErwnv9hpzfL5glc/m0PSELQ8hZgNmAX KMoWvdjPenwPQEhrii92P15DbXGz6uktIZFrKRgCUx2u5ss= =1hd2 -----END PGP SIGNATURE-----
Xenproject.org Security Team