Xen.org security team
2018-11-20 13:30:49 UTC
Fix for XSA-240 conflicts with shadow paging
UPDATES IN VERSION 2
The fix for XSA-240 introduced a new field into the control structure
associated with each page of RAM. This field was added to a union,
another member of which is used when Xen uses shadow paging for the
guest. During migration, or with the L1TF (XSA-273) mitigation for
PV guests in effect, the two uses conflict.
A malicious or buggy x86 PV guest may cause Xen to crash, resulting in
a DoS (Denial of Service) affecting the entire host. Privilege
escalation as well as information leaks cannot be ruled out.
All Xen versions from at least 3.2 onwards are vulnerable. Earlier
versions have not been checked.
Only x86 systems are affected. ARM systems are not affected.
Only Xen versions with the XSA-240 fixes applied are vulnerable.
Only Xen versions which permit linear page table use by PV guests are
Only x86 PV guests can leverage this vulnerability. x86 HVM guests
cannot leverage this vulnerability.
Not permitting linear page table use by PV guests avoids the
vulnerability. This can be done both at build time, by turning off the
PV_LINEAR_PT configure option, or at runtime, by passing specifying
"pv-linear-pt=0" on the hypervisor command line.
On systems where the guest kernel is controlled by the host rather than
guest administrator, running only kernels which have themselves been
hardened against L1TF _and_ avoiding live migrating or snapshotting PV
guests will generally prevent this issue being triggered. However
untrusted guest administrators can still trigger it unless further
steps are taken to prevent them from loading code into the kernel
(e.g. by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.
Running only HVM guests will avoid this vulnerability.
This issue was discovered by the security team of Prgmr.com.
Applying the appropriate pair of attached patches resolves this issue.
xsa280-1.patch + xsa280-4.11-2.patch Xen 4.11.x
xsa280-1.patch + xsa280-4.10-2.patch Xen 4.10.x
xsa280-4.9-1.patch + xsa280-4.10-2.patch Xen 4.9.x, Xen 4.8.x
xsa280-4.9-1.patch + xsa280-4.7-2.patch Xen 4.7.x
$ sha256sum xsa280*
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) EXCEPT the linear page table
disabling one is permitted during the embargo, even on public-facing
systems with untrusted guest users and administrators.
However deployment of the linear page table disabling mitigation is NOT
PERMITTED (except where all the affected systems and VMs are
administered and used only by organisations which are members of the
Xen Project Security Issues Predisclosure List). Specifically,
deployment on public cloud systems is NOT permitted.
This is because altering the set of features usable in a guest in
connection with a security issue would be a user-visible change which
could lead to the rediscovery of the vulnerability.
Also: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy: