Information

AdvisoryXSA-388
Public release 2021-11-23 12:00
Updated 2021-11-23 12:10
Version 3
CVE(s) CVE-2021-28704 CVE-2021-28707 CVE-2021-28708
Title PoD operations on misaligned GFNs

Files

advisory-388.txt (signed advisory file)
xsa388-1.patch
xsa388-2.patch
xsa388-4.14-1.patch
xsa388-4.14-2.patch
xsa388-4.15-1.patch
xsa388-4.15-2.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 Xen Security Advisory CVE-2021-28704,CVE-2021-28707,CVE-2021-28708 / XSA-388
                                   version 3

                   PoD operations on misaligned GFNs

UPDATES IN VERSION 3
====================

Correct affected versions range.

Add CVE numbers to patches.

Public release.

ISSUE DESCRIPTION
=================

x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode,
to provide a way for them to later easily have more memory assigned.

Guests are permitted to control certain P2M aspects of individual
pages via hypercalls.  These hypercalls may act on ranges of pages
specified via page orders (resulting in a power-of-2 number of pages).
The implementation of some of these hypercalls for PoD does not
enforce the base page frame number to be suitably aligned for the
specified order, yet some code involved in PoD handling actually makes
such an assumption.

These operations are XENMEM_decrease_reservation (CVE-2021-28704) and
XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by
domains controlling the guest, i.e. a de-privileged qemu or a stub
domain.  (Patch 1, combining the fix to both these two issues.)

In addition handling of XENMEM_decrease_reservation can also trigger a
host crash when the specified page order is neither 4k nor 2M nor 1G
(CVE-2021-28708, patch 2).

IMPACT
======

Malicious or buggy guest kernels may be able to mount a Denial of
Service (DoS) attack affecting the entire system.  Privilege escalation
and information leaks cannot be ruled out.

VULNERABLE SYSTEMS
==================

All Xen versions from 4.7 onwards are affected.  Xen versions 4.6 and
older are not affected.

Only x86 HVM and PVH guests started in populate-on-demand mode can
leverage the vulnerability.  Populate-on-demand mode is activated
when the guest's xl configuration file specifies a "maxmem" value which
is larger than the "memory" value.

MITIGATION
==========

Not starting x86 HVM or PVH guests in populate-on-demand mode will avoid
the vulnerability.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate pair if attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa388-?.patch           xen-unstable
xsa388-4.15-?.patch      Xen 4.15.x
xsa388-4.14-?.patch      Xen 4.14.x - 4.12.x

$ sha256sum xsa388*
43f6647e9f7d28d22eeb98680e116b301b0e29ef63ea65c9839a5aaebd449bc4  xsa388-1.patch
64b27a8c7c02036528e00a3070e27e873762d68f4ea1504e906aaf2ddc1c06be  xsa388-2.patch
6917267482101a3f8f1d13905e14994344a0af81370c7a2b92275fb176b321a0  xsa388-4.14-1.patch
d5886e046c69f34f98f7e1fc6ffcc36d92f8fc79242b9dc88412c39aa79b4ac3  xsa388-4.14-2.patch
fbe6af409447edc2318940d7c4bc0861a236d40db037166608fc09fa57ef54b1  xsa388-4.15-1.patch
c828d735aaa3f430ccef314bf27519cd6a5f4daaa79e1c493dc47e42ab09ec9f  xsa388-4.15-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on public-
facing systems with untrusted guest users and administrators.

HOWEVER, deployment of the mitigation described above is NOT permitted
during the embargo on public-facing systems with untrusted guest users
and administrators.  This is because such a configuration change is
recognizable by the affected guests.

AND: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmGc2jkMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZROMIALJsptV0nV8H5/nCLUWld3mKjAeb/+N20ul9NEwn
rUwIGGGzyrKZQdAljno+9y9o5pM8+BC+aTBwYhmxEWsHm1kodTD+YnJYf8uNW/CW
uhTJp/ZB5EsWhTFHF7YoKbPG0on4KIsy0TgoUug7bv+l2zEny9gfknsj8jdp3qCy
aFv1Bb2PzRh462qVHI3f27Ee8bn7GfErouuLppmDpCva19D3bhUXQ5PhxFB+oqsI
bww4VKUo0nxZftYhpbInWm34dajEIXK7jy5Z/CUPgCj2sTOHHBv7+5JJdw0umn/A
lJ2Ta1u03sdC9JWbat4qjvdVgK9L9vT+jWsfcwk02qq+XSU=
=uSRt
-----END PGP SIGNATURE-----


Xenproject.org Security Team