-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2023-46842 / XSA-454 version 2 x86 HVM hypercalls may trigger Xen bug check UPDATES IN VERSION 2 ==================== Avoid new Misra violation in 1st staging patch. Public release. ISSUE DESCRIPTION ================= Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values. Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash. IMPACT ====== A HVM or PVH guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host. VULNERABLE SYSTEMS ================== All Xen versions from at least 3.2 onwards are vulnerable. Earlier versions have not been inspected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only HVM or PVH guests can leverage the vulnerability. PV guests cannot leverage the vulnerability. MITIGATION ========== Not using HVM / PVH guests will avoid the vulnerability. CREDITS ======= This issue was discovered by Manuel Andreas of Technical University of Munich. RESOLUTION ========== Applying either of the attached patches from the appropriate set resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa454-?.patch xen-unstable xsa454-4.18-?.patch Xen 4.18.x xsa454-4.17-?.patch Xen 4.17.x xsa454-4.16-?.patch Xen 4.16.x - Xen 4.15.x $ sha256sum xsa454* 2df9af16605b634d3585a30f673b4cf9e327889cfd8714a697de215c3f809fb5 xsa454-1.patch f2ed0468350f2c2e0285a546ab5c722e928add5425b05bff663c632ada09ee3b xsa454-2.patch 4106f323251e262d30319c61de7c876f2b18edfcce38cc70501fb3c22677ff0a xsa454-4.16-1.patch 962ea7d8f3e378ec775619e44525f66768369423b56113420763651dbbf6bc1e xsa454-4.16-2.patch 95b299237d13ae27f643d804eb40b600b9b8ef056953686d4f770f03c46c42c8 xsa454-4.17-1.patch 7af290595cbea3153e49344827095c874e6a8d208d8c843e62ee0787b0d7d46d xsa454-4.17-2.patch 999006e7917c996741dfc332d28e7b2ca8376f8e9d5b38161cbd5988528d0238 xsa454-4.18-1.patch f2ed0468350f2c2e0285a546ab5c722e928add5425b05bff663c632ada09ee3b xsa454-4.18-2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmYVK4QMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZGckH/3BlZCckKISpUFMM/633xyAdJ8ZMVwZDhS2/eC+n SJA4VuqAgw6dqqvAA5ga7jzBiCxe78S1BVXAZjOctmfVHRTOoyKg2hcEcKAit8uf Pbxm/XHqgQRb6FTAlZROqX0rxq+7kSftm0teQWvMfauwVia59Shhye67dmdk9tCP G8BTDFVEAspFYopQOiTmFQbxIkLLC6rg0UljQfxStPMw3MyX8pO5Lzl3+POlM1xV XBynHxVmpdXNe1rFYcRKIsQWbbgYiEMXjQmOkax2mTfMHDhMZjkxvpLZa2jMfzkP wTdqwWqO+z2eGZPWVL95uwZ49Q6Pzhnd6MXkn0wfHtDzy24= =oUIS -----END PGP SIGNATURE-----