* Xen Security Advisory 327 v3 (CVE-2020-15564) - Missing alignment check in VCPUOP_register_vcpu_info
@ 2020-07-07 12:23 Xen.org security team
0 siblings, 0 replies; only message in thread
From: Xen.org security team @ 2020-07-07 12:23 UTC (permalink / raw)
To: xen-announce, xen-devel, xen-users, oss-security; +Cc: Xen.org security team
[-- Attachment #1: Type: text/plain, Size: 3181 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2020-15564 / XSA-327
version 3
Missing alignment check in VCPUOP_register_vcpu_info
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
The hypercall VCPUOP_register_vcpu_info is used by a guest to register
a shared region with the hypervisor. The region will be mapped into Xen address
space so it can be directly accessed.
On Arm, the region is accessed with instructions which require a specific
alignment. Unfortunately, there is no check that the address provided by
the guest will be correctly aligned.
As a result, a malicious guest could cause a hypervisor crash by passing
a misaligned address.
IMPACT
======
A malicious guest administrator may cause a hypervisor crash, resulting in a
Denial of Service (DoS).
VULNERABLE SYSTEMS
==================
All Xen versions are vulnerable.
Only Arm systems are vulnerable. x86 systems are not affected.
MITIGATION
==========
There is no mitigation.
CREDITS
=======
This issue was discovered by Julien Grall of Amazon.
RESOLUTION
==========
Applying the attached patch resolves this issue.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa327.patch Xen 4.9 - xen-unstable
$ sha256sum xsa327*
f046eefcc1368708bd1fafc88e063d3dbc5c4cdb593d68b3b04917c6cdb7bcb5 xsa327.meta
1d057695d5b74ce2857204103e943caeaf773bc4fb9d91ea78016e01a9147ed7 xsa327.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patch and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl8EaVAMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZcqIIAKpb992pMq1jFStIGPhk6HsaIhxVEGep67eJHq9d
TMaFiyBix125djY0zV8KaznmZmRpM2pNKVsIkGe1XHgtEMcWgMAYARejJLRC4UnW
xHhpunI7rJMQc1vL5ZGxAFbVYF6U/PX0rwESwQb2/Rt0eLBTAmH4m25TQiSEnrkM
3C4Dbk3puCbaeB7VGiyccK07hh6qQhEO8s1FhZTNVTaqqcNWZYqy/SbmRYHiT/in
2dK6XOiBgRhHnjsDDoXj5abSMb00KnJ9PkWu8RC2b7+BVZJUii1557T8zpDo9Fyl
CJ3YXrekd+gQSFxgwCts00BbLr2NUf3uqEtpY1EEV7UKmvQ=
=fPiG
-----END PGP SIGNATURE-----
[-- Attachment #2: xsa327.meta --]
[-- Type: application/octet-stream, Size: 1991 bytes --]
{
"XSA": 327,
"SupportedVersions": [
"master",
"4.13",
"4.12",
"4.11",
"4.10",
"4.9"
],
"Trees": [
"xen"
],
"Recipes": {
"4.10": {
"Recipes": {
"xen": {
"StableRef": "fd6e49ecae03840610fdc6a416a638590c0b6535",
"Prereqs": [
317,
319,
328,
321
],
"Patches": [
"xsa327.patch"
]
}
}
},
"4.11": {
"Recipes": {
"xen": {
"StableRef": "2b77729888fb851ab96e7f77bc854122626b4861",
"Prereqs": [
317,
319,
328,
321
],
"Patches": [
"xsa327.patch"
]
}
}
},
"4.12": {
"Recipes": {
"xen": {
"StableRef": "050fe48dc981e0488de1f6c6c07d8110f3b7523b",
"Prereqs": [
317,
319,
328,
321
],
"Patches": [
"xsa327.patch"
]
}
}
},
"4.13": {
"Recipes": {
"xen": {
"StableRef": "9f7e8bac4ca279b3bfccb5f3730fb2e5398c95ab",
"Prereqs": [
317,
319,
328,
321
],
"Patches": [
"xsa327.patch"
]
}
}
},
"4.9": {
"Recipes": {
"xen": {
"StableRef": "6e477c2ea4d5c26a7a7b2f850166aa79edc5225c",
"Prereqs": [
319,
328,
321
],
"Patches": [
"xsa327.patch"
]
}
}
},
"master": {
"Recipes": {
"xen": {
"StableRef": "e4d2207165b379ec13c8b512936f63982af62d13",
"Prereqs": [
317,
319,
328,
321
],
"Patches": [
"xsa327.patch"
]
}
}
}
}
}
[-- Attachment #3: xsa327.patch --]
[-- Type: application/octet-stream, Size: 2064 bytes --]
From 030300ebbb86c40c12db038714479d746167c767 Mon Sep 17 00:00:00 2001
From: Julien Grall <jgrall@amazon.com>
Date: Tue, 26 May 2020 18:31:33 +0100
Subject: [PATCH] xen: Check the alignment of the offset pased via
VCPUOP_register_vcpu_info
Currently a guest is able to register any guest physical address to use
for the vcpu_info structure as long as the structure can fits in the
rest of the frame.
This means a guest can provide an address that is not aligned to the
natural alignment of the structure.
On Arm 32-bit, unaligned access are completely forbidden by the
hypervisor. This will result to a data abort which is fatal.
On Arm 64-bit, unaligned access are only forbidden when used for atomic
access. As the structure contains fields (such as evtchn_pending_self)
that are updated using atomic operations, any unaligned access will be
fatal as well.
While the misalignment is only fatal on Arm, a generic check is added
as an x86 guest shouldn't sensibly pass an unaligned address (this
would result to a split lock).
This is XSA-327.
Reported-by: Julien Grall <jgrall@amazon.com>
Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
---
xen/common/domain.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/xen/common/domain.c b/xen/common/domain.c
index 7cc9526139a6..e9be05f1d05f 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -1227,10 +1227,20 @@ int map_vcpu_info(struct vcpu *v, unsigned long gfn, unsigned offset)
void *mapping;
vcpu_info_t *new_info;
struct page_info *page;
+ unsigned int align;
if ( offset > (PAGE_SIZE - sizeof(vcpu_info_t)) )
return -EINVAL;
+#ifdef CONFIG_COMPAT
+ if ( has_32bit_shinfo(d) )
+ align = alignof(new_info->compat);
+ else
+#endif
+ align = alignof(*new_info);
+ if ( offset & (align - 1) )
+ return -EINVAL;
+
if ( !mfn_eq(v->vcpu_info_mfn, INVALID_MFN) )
return -EINVAL;
--
2.17.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-07-07 12:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-07 12:23 Xen Security Advisory 327 v3 (CVE-2020-15564) - Missing alignment check in VCPUOP_register_vcpu_info Xen.org security team
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).