* Xen Security Advisory 364 v3 (CVE-2021-26933) - arm: The cache may not be cleaned for newly allocated scrubbed pages
@ 2021-02-16 12:35 Xen.org security team
0 siblings, 0 replies; only message in thread
From: Xen.org security team @ 2021-02-16 12:35 UTC (permalink / raw)
To: xen-announce, xen-devel, xen-users, oss-security; +Cc: Xen.org security team
[-- Attachment #1: Type: text/plain, Size: 3119 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2021-26933 / XSA-364
version 3
arm: The cache may not be cleaned for newly allocated scrubbed pages
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
On Arm, a guest is allowed to control whether memory access bypass the
cache. This means that Xen needs to ensure that all writes (such as
the ones during scrubbing) have reached memory before handing over the
page to a guest.
Unfortunately the operation to clean the cache happens before checking
if the page was scrubbed. Therefore there is no guarantee when all
the writes will reach the memory.
IMPACT
======
A malicious guest may be able to read sensitive data from memory that
previously belonged to another guest.
VULNERABLE SYSTEMS
==================
Xen version 4.9 onwards are vulnerable. Only Arm systems are vulnerable.
MITIGATION
==========
There is no known mitigation.
CREDITS
=======
This issue was discovered by Julien Grall of Amazon.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa364.patch xen-unstable - 4.11
$ sha256sum xsa364*
c9dcb3052bb6ca4001e02b3ad889c70b4eebf1931bef83dfb7de86452851f3c8 xsa364.meta
dc313c70bb07b4096bbc4612cbbc180589923277411dede2fda37f04ecc846d6 xsa364.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAru/UMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZT0UH/0Lzw4sShqmyO06n0HWcXyzXKx7Qh67tjBglmB0D
XHKrlTKR0Cs1S2NR3GCSZCSPNKXcXU689qEXlvK07EpheO/xCUgpZNkt/Eab/JFK
NngYbuev1z6+bGeCi70b6RItCXoWiwDWEJqLlLKROwBXMZaodwgjY7/o3GR2D8ZV
Qyz2EcAdJUIYmMsLC3hJ7gTLXvdySp+0lZ9oO6qe4YYQ3CIwPJnlflWFTzcASfML
D9lMVG6u6ratiqt4N1egE0gxBe3/QP8KoptSqiV+MDdwPnsK009g/G+0Ea430ZEh
lviVSgCxhdELx2Tv+Q7qSSbnfMSdnibSHAxipcbyhvjiEJU=
=mHyv
-----END PGP SIGNATURE-----
[-- Attachment #2: xsa364.meta --]
[-- Type: application/octet-stream, Size: 1302 bytes --]
{
"XSA": 364,
"SupportedVersions": [
"master",
"4.14",
"4.13",
"4.12",
"4.11"
],
"Trees": [
"xen"
],
"Recipes": {
"4.11": {
"Recipes": {
"xen": {
"StableRef": "310ab79875cb705cc2c7daddff412b5a4899f8c9",
"Prereqs": [],
"Patches": [
"xsa364.patch"
]
}
}
},
"4.12": {
"Recipes": {
"xen": {
"StableRef": "cce7cbd986c122a86582ff3775b6b559d877407c",
"Prereqs": [],
"Patches": [
"xsa364.patch"
]
}
}
},
"4.13": {
"Recipes": {
"xen": {
"StableRef": "e4161938b315f3b9c6a13ade30d16c11504a2d16",
"Prereqs": [],
"Patches": [
"xsa364.patch"
]
}
}
},
"4.14": {
"Recipes": {
"xen": {
"StableRef": "4170218cb96546426664e5c1d00c5a848a26ae9e",
"Prereqs": [],
"Patches": [
"xsa364.patch"
]
}
}
},
"master": {
"Recipes": {
"xen": {
"StableRef": "5e7aa904405fa2f268c3af213516bae271de3265",
"Prereqs": [],
"Patches": [
"xsa364.patch"
]
}
}
}
}
}
[-- Attachment #3: xsa364.patch --]
[-- Type: application/octet-stream, Size: 2493 bytes --]
From dadb5b4b21c904ce59024c686eb1c55be8f46c52 Mon Sep 17 00:00:00 2001
From: Julien Grall <jgrall@amazon.com>
Date: Thu, 21 Jan 2021 10:16:08 +0000
Subject: [PATCH] xen/page_alloc: Only flush the page to RAM once we know they
are scrubbed
At the moment, each page are flushed to RAM just after the allocator
found some free pages. However, this is happening before check if the
page was scrubbed.
As a consequence, on Arm, a guest may be able to access the old content
of the scrubbed pages if it has cache disabled (default at boot) and
the content didn't reach the Point of Coherency.
The flush is now moved after we know the content of the page will not
change. This also has the benefit to reduce the amount of work happening
with the heap_lock held.
This is XSA-364.
Fixes: 307c3be3ccb2 ("mm: Don't scrub pages while holding heap lock in alloc_heap_pages()")
Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
xen/common/page_alloc.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c
index 02ac1fa613e7..1744e6faa5c4 100644
--- a/xen/common/page_alloc.c
+++ b/xen/common/page_alloc.c
@@ -924,6 +924,7 @@ static struct page_info *alloc_heap_pages(
bool need_tlbflush = false;
uint32_t tlbflush_timestamp = 0;
unsigned int dirty_cnt = 0;
+ mfn_t mfn;
/* Make sure there are enough bits in memflags for nodeID. */
BUILD_BUG_ON((_MEMF_bits - _MEMF_node) < (8 * sizeof(nodeid_t)));
@@ -1022,11 +1023,6 @@ static struct page_info *alloc_heap_pages(
pg[i].u.inuse.type_info = 0;
page_set_owner(&pg[i], NULL);
- /* Ensure cache and RAM are consistent for platforms where the
- * guest can control its own visibility of/through the cache.
- */
- flush_page_to_ram(mfn_x(page_to_mfn(&pg[i])),
- !(memflags & MEMF_no_icache_flush));
}
spin_unlock(&heap_lock);
@@ -1062,6 +1058,14 @@ static struct page_info *alloc_heap_pages(
if ( need_tlbflush )
filtered_flush_tlb_mask(tlbflush_timestamp);
+ /*
+ * Ensure cache and RAM are consistent for platforms where the guest
+ * can control its own visibility of/through the cache.
+ */
+ mfn = page_to_mfn(pg);
+ for ( i = 0; i < (1U << order); i++ )
+ flush_page_to_ram(mfn_x(mfn) + i, !(memflags & MEMF_no_icache_flush));
+
return pg;
}
--
2.17.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-02-16 12:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-16 12:35 Xen Security Advisory 364 v3 (CVE-2021-26933) - arm: The cache may not be cleaned for newly allocated scrubbed pages Xen.org security team
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.