-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2020-15565 / XSA-321 version 3 insufficient cache write-back under VT-d UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs CPU cached also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. IMPACT ====== A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2 onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible. MITIGATION ========== Suppressing the use of page table sharing will avoid the vulnerability (command line option "iommu=no-sharept"). Note however that as of Xen version 4.13 there's also a respective per-guest control ("passthrough=" libxl guest config file option). If any guests have been created with an explicit setting here, this setting may conflict with the addition of the "iommu=no-sharept" Xen command line option. Suppressing the use of large HAP pages will avoid the vulnerability (command line options "hap_2mb=no hap_1gb=no"). Not passing through PCI devices to HVM guests will avoid the vulnerability. CREDITS ======= This issue was discovered by Roger Pau Monné of Citrix. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that unlike implied by the numbering, the patches here are intended to go on top of XSA-328's. Note also that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa321/xsa321-?.patch xen-unstable xsa321/xsa321-4.13-?.patch Xen 4.13.x xsa321/xsa321-4.12-?.patch Xen 4.12.x xsa321/xsa321-4.11-?.patch Xen 4.11.x xsa321/xsa321-4.10-?.patch Xen 4.10.x xsa321/xsa321-4.9-?.patch Xen 4.9.x $ sha256sum xsa321* xsa321*/* f0824c6b6e5de723301223927dbad916e0e5fbeb70f30a7e2467a04094dd840b xsa321.meta 35ed3be5e66da0580de8fb14ee7e6c073ac60e08e022c35ef194a714698641ad xsa321/xsa321-1.patch b2bbb4cf397b7b532dcab120a4d678938c50ca0df6ff2724a416ac8567bd667b xsa321/xsa321-2.patch 87d2e0446ee3fb013c8f307e71c0ddeae8122d6beee3e5d2871aa429d8d19daa xsa321/xsa321-3.patch 38d7e715d4ed751a9ce503b61cacaf2d06c91b2eab4be95cbc3a9ae4d2a05efb xsa321/xsa321-4.9-1.patch e4d5238233c883ea62491f852e543550bce9d74d7239a866f5e117df46838abc xsa321/xsa321-4.9-2.patch d9140aee60c848e2e07a59741bab1fde4669f2627923e5d3f08b8f2971f589c4 xsa321/xsa321-4.9-3.patch be8e320f64185bb29c52c0c1472d9d9aa1319768076ff70e691d4b40f7938a27 xsa321/xsa321-4.9-4.patch 7d83cb2d7de293f8534fa4eae1c56979984d01d8842ac06cfcb645191f27e51f xsa321/xsa321-4.9-5.patch 99c7cf186f0fea47ef516e3d477a5f5068adaad44624b406694b9ff33268e05b xsa321/xsa321-4.9-6.patch 9731286e9af9d83c5bf191aa5a6be0dfa34c79bca15660cd9b9e1c8e930cf974 xsa321/xsa321-4.9-7.patch 360765e859866c466dc1c9c6893dd800407d8f09b0b6f2b07fa403c290c4f0c6 xsa321/xsa321-4.10-1.patch e4d5238233c883ea62491f852e543550bce9d74d7239a866f5e117df46838abc xsa321/xsa321-4.10-2.patch 74b5c19a469cc7252a296cb19288f1ab53a411530d06dd364a0e3292c6aa273f xsa321/xsa321-4.10-3.patch be8e320f64185bb29c52c0c1472d9d9aa1319768076ff70e691d4b40f7938a27 xsa321/xsa321-4.10-4.patch 7d83cb2d7de293f8534fa4eae1c56979984d01d8842ac06cfcb645191f27e51f xsa321/xsa321-4.10-5.patch 99c7cf186f0fea47ef516e3d477a5f5068adaad44624b406694b9ff33268e05b xsa321/xsa321-4.10-6.patch fb3122d23ae7381d798721fe92c622ea2d37baac369fe89b0707030315dfc896 xsa321/xsa321-4.10-7.patch 360765e859866c466dc1c9c6893dd800407d8f09b0b6f2b07fa403c290c4f0c6 xsa321/xsa321-4.11-1.patch 02e2fda4b467f10a7f38cb2a095b9da04289d9e8489db88bf542d6527b823a23 xsa321/xsa321-4.11-2.patch 04c9bc347f8d3cbb8aecede370189bba2ed47be560d1871b91eb01b962a578cc xsa321/xsa321-4.11-3.patch be8e320f64185bb29c52c0c1472d9d9aa1319768076ff70e691d4b40f7938a27 xsa321/xsa321-4.11-4.patch c1b143b43b59244d5dc755f6a99de70ac39e803a7204296bb47300b9ffe26e59 xsa321/xsa321-4.11-5.patch 38456ff553416e48f2f5438c2a5a163b20929e8a58dbe811942d0d47aacfc9ea xsa321/xsa321-4.11-6.patch d3b6df41682e6b88898545590bee8242c00b4593773ba8070ce57a0473094189 xsa321/xsa321-4.11-7.patch c6d00d7a988002687be9a19a2d631c3562d8ec9f02ae24efc23eb0039f9e0ddb xsa321/xsa321-4.12-1.patch 64dd3aa18be3ccb17ab6d813df16e2025adabbe38127f2f00175a6a481651d86 xsa321/xsa321-4.12-2.patch 935346f3d0f2759699b0ccb8002abfb0dc173ec3ed616fb9042ad86751445757 xsa321/xsa321-4.12-3.patch be8e320f64185bb29c52c0c1472d9d9aa1319768076ff70e691d4b40f7938a27 xsa321/xsa321-4.12-4.patch c1b143b43b59244d5dc755f6a99de70ac39e803a7204296bb47300b9ffe26e59 xsa321/xsa321-4.12-5.patch 0da20aeb89e18490d60649dbfdb9c374e5861032da784a7724216c329f2cc5f0 xsa321/xsa321-4.12-6.patch 4d1954600eeca7e2cb9143ea8e32969731071f991a9a88a245c18e860c57c22c xsa321/xsa321-4.12-7.patch 946053a8bba53d87b4164acaf3343e30689d91b505b6355d873c016166d87103 xsa321/xsa321-4.13-1.patch f09e8cbf0cce17647d47f38137792517c8b108c3b54f57793d03578b0d5ccf99 xsa321/xsa321-4.13-2.patch bd50ad52d23c6fc12b69ecaaf41073833cbe9b1d66a9f4e148df078e30dd45d4 xsa321/xsa321-4.13-3.patch b181511962ce397302be8b7d5a130abe0995b3fda68b96f1afa95ae64f62dd09 xsa321/xsa321-4.13-4.patch 3286fc184fb377c1ce94344d1dbae3b78e95b0ae766eabb80b2fc612e59ffb69 xsa321/xsa321-4.13-5.patch 03a193197d176109dc586f4d6a76aebe32a4aa147e88c79d57582cf0a186c4ef xsa321/xsa321-4.13-6.patch ef7f9ac74313d2dabfb258b2519b2144e4feed3c85b5f705c4b1b7ba31ec316a xsa321/xsa321-4.13-7.patch e6d4b77063d4cd7a7242ac54b150ce42ce684ecbf46c7eaff5715976f272f4bc xsa321/xsa321-4.patch 920771be10110a3eef8e4b8644145794d274042092f3aa14e04fa94fc1e78e8a xsa321/xsa321-5.patch b10c5583e01f1c26862806562f30e393960b0bbdd7cf7fca6640f4daa88fe017 xsa321/xsa321-6.patch 18da003fb05b7aebe868ff9f1c77063b8a51be3b07ab0c9fc4821bf46ca86eeb xsa321/xsa321-7.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl8EaM8MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ35IH/iNi7HaBQrIqks4MB/0odUAIYyUEVsI4eAavChkX oKO+IQ7sDOyjKG+VHWgMxtnZhcQk9A+qHMnfCjL7igp0HMonT5C1r38x/+Nf203+ V/mQ0h/Vj1Fz7qSk0mtX2j2zkAS7hEFnOQcT5TIkxAt5ZO3wSbPEwmt9UqR7VON9 rXFX6WyAqDhO7Hw2lngPXc2VGoORHqybII4XZGb24TO7q9U4vFhBR0ZVgWKBo1pt 82gl2h2jQn8IA0Rrack+ucfsoD9D+E3AQYtipZVd9PI/SJNsZHvHJdaPxBf2CUqO Jb1e5MMXRG9Htpe0GPu8Y0TSUAUCoHqBsJTE1wkn4hun5SQ= =/CNm -----END PGP SIGNATURE-----