-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2019-17347 / XSA-293 version 4 x86: PV kernel context switch corruption UPDATES IN VERSION 4 ==================== Correct affected versions statement. CVE assigned. ISSUE DESCRIPTION ================= On hardware supporting the fsgsbase feature, 64bit PV guests can set and clear the applicable control bit in its virtualised %cr4, but the feature remains fully active in hardware. Therefore, the associated instructions are actually usable. Linux, which does not currently support this feature, has various optimisations in its context switch path which justifiably assume that userspace can't actually make changes without a system call. Xen's behaviour of having this feature active behind the guest kernel's back undermines the correctness of any context switch logic which depends on the feature being disabled. Userspace can therefore corrupt fsbase or gsbase (commonly used for Thread Local Storage) in the next thread to be scheduled on the current vcpu. IMPACT ====== A malicious unprivileged guest userspace process can escalate its privilege to that of other userspace processes in the same guest, and potentially thereby to that of the guest operating system. Additionally, some guest software which attempts to use this CPU feature may trigger the bug accidentally, leading to crashes or corruption of other processes in the same guest. VULNERABLE SYSTEMS ================== Xen versions 4.4 and later are vulnerable. Xen 4.3 and earlier are not vulnerable. Only x86 hardware with the fsgsbase feature is vulnerable. This is believed to be Intel IvyBridge and later hardware, and AMD Steamroller and later hardware. ARM hardware is not affected. Only 64bit PV guests can exploit the vulnerability. 32bit PV guests, and HVM/PVH guests cannot exploit the vulnerability. Whether the bug is exploitable, and whether it will be triggered by accident, depend in a complicated way on the guest operating system and its configuration. Most guests are vulnerable to malicious userspace processes. MITIGATION ========== Running only 32bit PV or HVM/PVH guests will avoid this vulnerability. CREDITS ======= This issue was discovered by Andy Lutomirski. RESOLUTION ========== Applying the appropriate attached patches resolves this issue. xsa293/unstable-?.patch xen-unstable xsa293/4.11-?.patch Xen 4.11.x xsa293/4.10-?.patch Xen 4.10.x xsa293/4.9-?.patch Xen 4.9.x xsa293/4.8-?.patch Xen 4.8.x xsa293/4.7-?.patch Xen 4.7.x $ sha256sum xsa293* xsa293*/* 27baf055642a3a7e9d2b1a961e15a46b592eca7c6f63e28e3bcb19e4cebfd0bd xsa293.meta 865596b3dca81712a7d3d78f22e40aed1a08732f93b1950af6f092d893323a0f xsa293/4.7-1.patch 032559c4bbdfe0987b9d3b15cf8661d8d8a5d4e2e989c944490ac171305fba3b xsa293/4.7-2.patch d3d91a1a5083b0a1992750b808aefacd0f0d4e7e92d1436e620a542e935cdadd xsa293/4.7-3.patch 14b3db49375e353394b831a342d873d83615285d516f8cb08a0e1564d675cd51 xsa293/4.8-1.patch 1efc2ee18f54c7c41f478e944b3b708eb283bfa9de68a1046033d57784846c30 xsa293/4.8-2.patch 0d28899cad0e6798ae6a96717c15363ddf5a35e334ede02becdc81538ae589cc xsa293/4.8-3.patch b24210a74eb9dca5c7af902d223dba1b1b372df06a99fb1b0df8e92c9f9632f3 xsa293/4.9-1.patch f68101f80d9843c1cdbb70188caec7009a0d52d33d811d22091e7c1f265a15e1 xsa293/4.9-2.patch 194e42599eac16afab14856760901705a0600c1308645495f30d30f8dd68734c xsa293/4.10-1.patch 1fdee59bba66bd6b3ea4949913457dbcb1b8d5cb85fd8fb60aacac9a403ee9a9 xsa293/4.10-2.patch 277ba95e9a2276378fc9b3bcf89b694b9670256cde62278ade2e90d3fd5f7c46 xsa293/4.11-1.patch 724a0f433427a747876cbec09381dc1ca99286cea0ecbdd098c6e68fb135eeda xsa293/4.11-2.patch 837eb67900a7c70cf7a00836cb312506925ca1fd29529144ff312316b0dbb086 xsa293/unstable-1.patch 0a6df8c8778a1c7e1fb71825695a86dee36f2e9345b39a06e3a364ad8b938de0 xsa293/unstable-2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2y1+8MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ+v0H/21IMJyzcEdBt5Ki3zJ4gWL5XKxzy7p5r8IyvLto KulFRzMU2gopsrSji394Inl+iydSEgSRGNMytpJ6HlYmAH+O5xJe3BVsLyf4tvTO ONTs72xin6mm3h/cUSVtLzTfLAYX6AA37uy/kqUOGH9Bn1VDNhKFDwTjwb7riaDe cHpvCaQJGK9HBYjzD8HyAfh0nKupgLb19FdG5r2CjXqyHK1A+bC3LPdOc9jfNYrY YP4LV0nSU5XOBi6RrOSXySadvQQTXtaFACtpcRGQEhrXKmO+bUCQiyJzn2JtmxZP 7uMN9OqR6idl3mxgBb1QiHfxIFw2NB/MC6BoTBn4+Ea7yJk= =cxjY -----END PGP SIGNATURE-----