-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2024-45819 / XSA-464 version 2 libxl leaks data to PVH guests via ACPI tables UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated is left with its prior contents. IMPACT ====== An unprivileged guest may be able to access sensitive information pertaining to the host, control domain, or other guests. VULNERABLE SYSTEMS ================== Xen versions 4.8 and onwards are vulnerable. Xen 4.7 and older are not vulnerable. Only x86 systems running PVH guests are vulnerable. Architectures other than x86 are not vulnerable. Only PVH guests can leverage the vulnerability. HVM and PV guests cannot leverage the vulnerability. Note that PV guests when run inside the (PVH) shim can't leverage the vulnerability. MITIGATION ========== Running only PV or HVM guests will avoid this vulnerability. CREDITS ======= This issue was discovered by Jason Andryuk of AMD. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa464.patch xen-unstable - Xen 4.16.x $ sha256sum xsa464* 16bca39d6136141e030276f588f1e77f634fce8301b42fb0848ddf2b611d835a xsa464.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmczRE4MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZTG8H+wV+jRjwQcgPa2OQBuedO8V0Lpu1DqQnANU//oZK 4p5ntCeMJ9MnMlWGZhdOAwSQNgwYf17G2DezNK0XvRacfvB0/pUTH94EmKmyRkVl vGgs302HkNb0Il84JN/HA9TtK5+g2kSa5J5prV9tu+nGvRZ1zZPnBEFohXvXdjr7 /KGSrbHbi5+6DdBZmmEUu65PLvQAochHvQLEHpoRp0MCVE8g0FQPFikmST39TLpJ 6SFfVZjdmYfOUN1BYcH6AYCuCXZfbUOlqm9y1Z2EX6N0chQXsBDbOFx7/0ey23fw Wy9l49G//xaTR4X4uXTRiiXC7qxpclD0VKGlHKz1AUyUw6c= =lRfn -----END PGP SIGNATURE-----