Information

Advisory XSA-348
Public release 2020-12-15 12:00
Updated 2020-12-15 12:19
Version 3
CVE(s) CVE-2020-29566
Title undue recursion in x86 HVM context switch code

Files

advisory-348.txt (signed advisory file)
xsa348.meta
xsa348-1.patch
xsa348-2.patch
xsa348-3.patch
xsa348-4.10.patch
xsa348-4.11.patch
xsa348-4.12.patch
xsa348-4.13-1.patch
xsa348-4.13-2.patch
xsa348-4.13-3.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-29566 / XSA-348
                               version 3

            undue recursion in x86 HVM context switch code

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When they require assistance from the device model, x86 HVM guests
must be temporarily de-scheduled.  The device model will signal Xen
when it has completed its operation, via an event channel, so that the
relevant vCPU is rescheduled.

If the device model were to signal Xen without having actually
completed the operation, the de-schedule / re-schedule cycle would
repeat.  If, in addition, Xen is resignalled very quickly, the
re-schedule may occur before the de-schedule was fully complete,
triggering a shortcut.  This potentially repeating process uses
ordinary recursive function calls, so could result a stack overflow.

IMPACT
======

A malicious or buggy stubdomain serving a HVM guest can cause Xen to
crash, resulting in a Denial of Service (DoS) to the entire host.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

Only x86 systems are affected.  Arm systems are not affected.

Only x86 stubdomains serving HVM guests can exploit the vulnerability.

MITIGATION
==========

Running only PV or PVH guests will avoid the vulnerability.

(Switching from a device model stub domain to a dom0 device model does
NOT mitigate this vulnerability.  Rather, it simply recategorises the
vulnerability to hostile management code, regarding it "as designed";
thus it merely reclassifies these issues as "not a bug".  The security
of a Xen system using stub domains is still better than with a qemu-dm
running as a dom0 process.  Users and vendors of stub qemu dm systems
should not change their configuration to use a dom0 qemu process.)

CREDITS
=======

This issue was discovered by Julien Grall of Amazon.

RESOLUTION
==========

Applying the appropriate (set of) attached patch(es) resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa348-?.patch           xen-unstable - Xen 4.14.x
xsa348-4.13-?.patch      Xen 4.13.x
xsa348-4.12.patch        Xen 4.12.x
xsa348-4.11.patch        Xen 4.11.x
xsa348-4.10.patch        Xen 4.10.x

$ sha256sum xsa348*
f9606145cdbd3caacf6be7e5bcb62fc7d2c0b76572c1be26db608c5eac57ead0  xsa348.meta
b619dac8453daa9f85526dec67ed67d999d182ccbc39b91be122b3365a0b5cb9  xsa348-1.patch
01b11ea3be160704c992187ad727ac1f03841cc452bbe2c142b53fddfa2da844  xsa348-2.patch
2c54474da9680625717e5a61b2a3a5ac23acad6f7bc0fcb306fe181fd0a38f1d  xsa348-3.patch
e2f4cbec1a763f045e827ececf13d06dedcc7cc49b42136160c8d986778529ae  xsa348-4.10.patch
15d4f5fb894a45027f4a17a557d4fdb0a390575ab2c2d3aa2b265d3c6239c765  xsa348-4.11.patch
58b1a771dc720b1efb205a9d1baf46aea0205d4c65310e693dd2cfe7834cd8b9  xsa348-4.12.patch
1d181edd11f2437ff9298f9b5e81d75f5e5db8a79a8ce2c5aed0d75882473a0b  xsa348-4.13-1.patch
b68d3dfa2003a7444c165ab3639886b9b502c06cdfd4f43bea747d8fb14dc7cd  xsa348-4.13-2.patch
67ecb0819041bf0b20a1af42970af72a15842571beb13cd0d740b0600e1aa2fd  xsa348-4.13-3.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/YqEoMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZHysH/RUkeyzKbsafoC4gOpdTKsbCOkR6U609yR5Gpv0G
JjoeMculUV+4q4aEJVm+FoXpK2H526akTA9iZnfhxZH224/nJ/MuK8IYdCCUxAPH
GTBa64RMTcl9lwHUZUOOWNFbEwTy7CiLBh+ccAi+o8BJGBDcXYFOtD5CerD08wFI
HJ/OKa4a36q6YDbG5ESvPK+9KL7e/VM+4BUCtvrlQFMV/4zSiBh9rKLlJEa975zB
NC4dZ6ZsM/uRV8s39WQ1ihz2ylAB0Ol/uemYCMWKZRscXxolKJdoWN5F5kpygj3n
ETmwpMQSwDcG+yhIBMbJ3CnCguQzEIVyWs8Z7wPcFMZk9QQ=
=UJMI
-----END PGP SIGNATURE-----

Xenproject.org Security Team