-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2019-19580 / XSA-310 version 3 Further issues with restartable PV type change operations UPDATES IN VERSION 3 ==================== Public release. Updated metadata to add 4.13, update StableRef's ISSUE DESCRIPTION ================= XSA-299 addressed several critical issues in restartable PV type change operations. Despite extensive testing and auditing, some corner cases were missed. IMPACT ====== A malicious PV guest administrator may be able to escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== All security-supported versions of Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Note that these attacks require very precise timing, which may be difficult to exploit in practice. MITIGATION ========== Running only HVM or PVH guests will avoid this vulnerability. Running PV guests in "shim" mode will also avoid this vulnerability. CREDITS ======= This issue was discovered by Sarah Newman at prgmr.com. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa310/*.patch xen-unstable, Xen 4.13 - 4.10 xsa310-4.9/*.patch Xen 4.9 - 4.8 $ sha256sum xsa310* xsa310*/* 2208e40c71aa521ae487782bd751963ce696be451d10a179fcecdff7a0065369 xsa310.meta 8e75f0fb5fe890a661c8d46ec622131bc650f1a95b170b99569b50dd2224616c xsa310-4.9/0001-x86-mm-Set-old_guest_table-when-destroying-vcpu-page.patch 3da404a0c088936ed92377ccef1fa6fdeb23900358ca9284e3488e8e1dcb5dd2 xsa310-4.9/0002-x86-mm-alloc-free_lN_table-Retain-partial_flags-on-E.patch cd1a77c2f767474dcfbd1e6282ad3219ce2abcac2021b040120d40b52fc76bc8 xsa310-4.9/0003-x86-mm-relinquish_memory-Grab-an-extra-type-ref-when.patch 44c670a1b1b8164202766d52fb741e62c104118525eb7a3e56f4b232bcb8be3f xsa310/0001-x86-mm-Set-old_guest_table-when-destroying-vcpu-page.patch 173dc0ffb4c572c8493bd9d5f3309b113e51888bdc9e462c78933f5c85f69b7a xsa310/0002-x86-mm-alloc-free_lN_table-Retain-partial_flags-on-E.patch 1833fbfc2cdea9b37f161b09df947dffdd8db5e60a2f3512913de0e0c0d4b3ef xsa310/0003-x86-mm-relinquish_memory-Grab-an-extra-type-ref-when.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl3w3F0MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ1noH/i6Sb3F6ZiaSl460OvdCRKd9lZm3ONunOH4IHuc6 +Q/G0G4b48UYfK/8FSAAjldv8tPOA5+j3GAFr2JgVtTWjP7tZyzSs0tDvn37sZrZ D3l0AeOHxLCuSRxnoRDtpKiuJv71DrnYEfCDdc6R4DTZuciOWYpYq6PQTac5bLZX 8G5nR+33SvzdIpncvONa0Xqm1+Cgy8yOOQQJHeQvN7GJfVvs6AHepU5zuP2Ez42W ReNA6o13xwiI8LGKvf8cV7s74JklIxR9gzkv4bBtMKInUY2loSIbKpI8E9GsVa3n VOJ2kwKgGgszewBoVyJdGYY1ZlXeIdPjOj7+575bsRnDlGo= =f2/B -----END PGP SIGNATURE-----