-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2020-27674 / XSA-286 version 6 x86 PV guest INVLPG-like flushes may leave stale TLB entries UPDATES IN VERSION 6 ==================== CVE assigned. ISSUE DESCRIPTION ================= x86 PV guest kernels may use hypercalls with INVLPG-like behavior to invalidate TLB entries even after changes to non-leaf page tables. Such changes to non-leaf page tables will, however, also render stale possible TLB entries created by Xen's internal use of linear page tables to process guest requests like update-va-mapping. Invalidation of these TLB entries has been missing, allowing subsequent guest requests to change address mappings for one process to potentially modify memory meanwhile in use elsewhere. IMPACT ====== Malicious x86 PV guest user mode may be able to escalate their privilege to that of the guest kernel. VULNERABLE SYSTEMS ================== All versions of Xen expose the vulnerability. The vulnerability is exposed to x86 PV guests only. x86 HVM/PVH guests as well as ARM ones are not vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Jann Horn of Google Project Zero. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. xsa286-unstable/*.patch xen-unstable xsa286-4.14/*.patch Xen 4.14.x xsa286-4.13/*.patch Xen 4.13.x xsa286-4.12/*.patch Xen 4.12.x xsa286-4.11/*.patch Xen 4.11.x xsa286-4.10/*.patch Xen 4.10.x $ sha256sum xsa286* xsa286*/* a7d4ddb15197dfcb246b84f8a89799f76070cdde99a5c1d0203229d719b0fcc1 xsa286.meta e5f946b07989db85de2a03e4b88e09324316c0ec12d21c5afb83d463114a1f4f xsa286-unstable/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch 2a732c958201eb03cc0737278e75f86160e0dedbbe0a13f415ec0d17a90ec009 xsa286-unstable/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch 2da4b60e19b1fbf1daf0d1bc61733763abf5653a6e53ffeadd559d0a01ec8095 xsa286-4.10/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch 5ce7f56a9b2c9a3a63f79d7df2486c24fc130a8658deb182b22416e17c202ae9 xsa286-4.10/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch 2e700e091bfd9d3fd6dd65064ec39a8a40d73bcc94b66852fd2d6fbe9ba6c2db xsa286-4.11/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch d622652ce50d59bf45134baabc26b89a24e5d98b1f82230041919089a1cf1620 xsa286-4.11/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch 4dc18a007ddf2bd5022ce194b861989be88170f8188ce49dbea7073bb280202f xsa286-4.12/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch 2c48331849d4d401b47dfc3db84bb067786b4e53155587235d919781b4a10e76 xsa286-4.12/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch dd0fad5165dcd0c3d8d551e35fa4fe29653a3b8c5ec52f7f86f434305c946338 xsa286-4.13/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch de1326efd4a8559c32ac68c89095f3230f723dec2acc80fc01a534578bb1be82 xsa286-4.13/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch a718f5e19ce821d1fe06f2cdc2f7ad0bbe7c7bca954c283bbc36ad50522f66ef xsa286-4.14/0001-x86-pv-Drop-FLUSH_TLB_GLOBAL-in-do_mmu_update-for-XP.patch d659d4a4119b235c7d1054980ceea9424dcc7faf3cfd3fd46627577a424256b5 xsa286-4.14/0002-x86-pv-Flush-TLB-in-response-to-paging-structure-cha.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAHB6MMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZDi4IAL8YKoMnrvTD8nNVHvUyTgVRpO9w68qq5r8gG3Z6 InBZWYOp+YrMScoqFap+R1RylIcKtzlqbCn3TR0dZdKDviPMpbgIQwEHI7C7I+qM rN4/cmEljAY+dspU2isqzX6IEDSwk4H9NcUtzN7+MbpUrJiis597IxW5T0KMM5Bd FYd2/MmzEayZkcEtuMLcFKdl2n1mi+7x7jNlQW5FeHI+6F8SS76YlYs2d/iaDC98 cX4YMdo4ZzcXpKVXgppbga7AEC1AZaNIfBd5cFrZaCvDBYnmW4Zwz8W7R/wYO987 5ogHMu0GX92i8QwN5EBwLolhnruZIBnaSJ9PiGk0GRbgGw4= =AADk -----END PGP SIGNATURE-----