-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-10915 / XSA-219 version 3 x86: insufficient reference counts during shadow emulation UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= When using shadow paging, writes to guest pagetables must be trapped and emulated, so the shadows can be suitably adjusted as well. When emulating the write, Xen maps the guests pagetable(s) to make the final adjustment and leave the guest's view of its state consistent. However, when mapping the frame, Xen drops the page reference before performing the write. This is a race window where the underlying frame can change ownership. One possible attack scenario is for the frame to change ownership and to be inserted into a PV guest's pagetables. At that point, the emulated write will be an unaudited modification to the PV pagetables whose value is under guest control. IMPACT ====== A malicious pair of guests may be able to elevate their privilege to that of Xen. We have not ruled out the possibility that a single malicious HVM guest may be able to elevate their privilege to that of Xen. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Only x86 systems are affected. ARM systems are not vulnerable. HVM guests using shadow mode paging can exploit this vulnerability. HVM guests using Hardware Assisted Paging (HAP) cannot exploit this vulnerability. To discover whether your HVM guests are using HAP, or shadow page tables: request debug key `q' (from the Xen console, or with `xl debug-keys q'). This will print (to the console, and visible in `xl dmesg'), debug information for every domain, containing something like this: (XEN) General information for domain 2: (XEN) refcnt=1 dying=2 pause_count=2 (XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400 (XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000 (XEN) paging assistance: hap refcounts translate external ^^^ The presence of `hap' here indicates that the host is not vulnerable to this domain. For an HVM domain the presence of `shadow' indicates that the domain can exploit the vulnerability. Xen 4.6 and later have the option to compile-out shadow paging support. (The default is to compile with shadow paging support). If Xen is built without shadow support, it is not vulnerable. Exploiting this race condition requires coordination between an x86 HVM guest using shadow paging, and a PV guest. Running only HVM guests avoids the vulnerability, unless stub device models are in use (since stub device models are PV domains, each controlled by the corresponding guest). Running only PV guests avoids the vulnerability. MITIGATION ========== Where the HVM guest is explicitly configured to use shadow paging (eg via the `hap=0' xl domain configuration file parameter), changing to HAP (eg by setting `hap=1') will avoid exposing the vulnerability to those guests. HAP is the default (in upstream Xen), where the hardware supports it; so this mitigation is only applicable if HAP has been disabled by configuration. (This mitigation is not applicable to PV guests.) CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa219.patch xen-unstable xsa219-4.8.patch Xen 4.8, 4.7 xsa219-4.6.patch Xen 4.6 xsa219-4.5.patch Xen 4.5, 4.4 $ sha256sum xsa219* d06759d11dad3b128e65ade9e6afc1c728b65457cc32c34f46690f959c48644f xsa219.patch 0dd27ad66f964ba163dbc72e3a074d171b0e1edf9b322d811feb7f5c1deb4437 xsa219-4.5.patch d5fdd9d75dbad4a2315f48f8aec5dd3a10b92307320b5c141e2c1e69e422510c xsa219-4.6.patch a2023599abbc3b8f46cd430bec154401ef166493fcb5787f2f6fb9802b12f9b4 xsa219-4.8.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJZX5IoAAoJEIP+FMlX6CvZouAH+gOw7icYZ2FwKnf210qsvt5D 3FR9CzAcHQjvNDu4W4bnsmrYX2cmIReu2dpVFkD3vZkn+fs8F1teZ+pryrPhI7JL 27i08ljph8iQnBtHbsYkn2U1jr08mm6qalX97DpcXzzgbZKYTP2jHaG18eyT8Q9A ZPPmqaer1/i7cTnK45/S5rp+KDVrMQEqevU9nhi/dzoMcAXG9Lbu3MEoxclmuvzi GwAJLlDEsy7n3wy1JSpoEt0x3Aanl+P5nWwQE8Y5W+DH5h3j6n4FTlUzmWQ2bwTm Y7xGRy11zvWBl5t5DerkVpu5Nai5YUMy9hjx3sCRk36/JWedZ9naO9Q+cWlYYd8= =aqWN -----END PGP SIGNATURE-----