Information

AdvisoryXSA-282
Public release 2018-11-06 18:40
Updated 2023-12-15 15:35
Version 3
CVE(s) CVE-2018-19967
Title guest use of HLE constructs may lock up host

Files

advisory-282.txt (signed advisory file)
xsa282.meta
xsa282-1.patch
xsa282-2.patch
xsa282-4.8-2.patch
xsa282-4.9-1.patch
xsa282-4.11-1.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2018-19967 / XSA-282
                               version 3

             guest use of HLE constructs may lock up host

UPDATES IN VERSION 3
====================

Normalize version tags

ISSUE DESCRIPTION
=================

Various Intel CPU models have an erratum listed under the title
"Processor May Hang When Executing Code In an HLE Transaction".  It
describes a potential hang when using instructions with the XACQUIRE
prefix on the host physical memory range covering the first 4 MiB
starting at the 1GiB boundary.

IMPACT
======

A malicious or buggy guest may cause a CPU to hang, resulting in a DoS
(Denial of Service) affecting the entire host.

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

Only Intel based x86 systems are affected.  Please refer to Intel
documentation as to which specific CPU models are affected.

AMD x86 systems as well as Arm ones are not affected.

MITIGATION
==========

There is no known mitigation.  A BIOS update may be available for some
systems, working around the issue at the firmware level.

RESOLUTION
==========

Applying the appropriate pair of attached patches works around this issue
for the CPU models known to be affected at the time of writing.

xsa282-?.patch                              xen-unstable
xsa282-4.11-1.patch, xsa282-2.patch         Xen 4.11.x, Xen 4.10.x
xsa282-4.9-1.patch, xsa282-2.patch          Xen 4.9.x
xsa282-4.9-1.patch, xsa282-4.8-2.patch      Xen 4.8.x, Xen 4.7.x

$ sha256sum xsa282*
6ef64ca920a58ed9185e81fad3dfa9ca5f6316f1e72ddd4f411f3e79eaf79903  xsa282.meta
ad7093e00b3d6650530c95427ef0e68880883f0cec7229b5f41c9e2dc497ffd5  xsa282-1.patch
7ce7fa105026b189500a31bd3978ec0c6fd9d7c95f688463c25ecce76366be35  xsa282-2.patch
fbff734d678700864563f8214361f391c0cbda9b67ed7256535ed3db388c8feb  xsa282-4.8-2.patch
df833cbe9b8798104a65d44b737c46f97399b86b0ffd03c99fda4c8ecf5a353c  xsa282-4.9-1.patch
68eab296a7124662cbe3c6df8835aff9b4a26160fdbe970e206a7a6ef8d27ec7  xsa282-4.11-1.patch
$

NOTE REGARDING LACK OF EMBARGO
==============================

The issue has been documented publicly in Specification Updates for at
least some of the affected processors for quite some time.
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b/oMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZzSsH/3d6JbmE4Bt31t1SV/n/CW/X6hyof3NsPEHhw9+7
77w37ZDi8+KThfV7dww2w35Q7HPc2ckurllMz5Bk636op06rSrrQOWfP8WCeq1jq
2CiQGUK4XbNBpbNrwzEAnAB52QiLRYV9OtgRK+RJ+iyW2LrphbO6/AkyJjMGjfU7
91bHxIuRsXcw6BLEfcnVYkBYZNIJEAlSxM26w5el6xupLCm8Q5fqlyyJAH/qvRk6
ti/uWwZadXUltp8emkDRkhVtE9r9Eo/1WNJuSnV78cKoAnUsPdobsKR2P3mfT0fc
mi9IBOT9xuOg6tZ99DHfZOd1UK1raXqkt5p+j7B/BUYwEbk=
=C9Va
-----END PGP SIGNATURE-----


Xenproject.org Security Team