Bug 1647573 (CVE-2018-19961, CVE-2018-19962)

Summary: CVE-2018-19961 CVE-2018-19962 xen: insufficient TLB flushing / improper large page mappings with AMD IOMMUs
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ailan, anemec, dhoward, drjones, dvlasenk, fhrbata, imammedo, jen, jforbes, jstancek, knoel, m.a.young, mrezanin, nmurray, pbonzini, plougher, rkrcmar, robinlee.sysu, rvrbovsk, security-response-team, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-08 16:23:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1651665    
Bug Blocks: 1647577    

Description Laura Pardo 2018-11-07 19:59:54 UTC
A flaw was found in xen. In order to be certain that no undue access to memory is possible anymore after IOMMU mappings of this memory have been removed, Translation Lookaside Buffers (TLBs) need to be flushed after most changes to such mappings. Xen bypassed certain IOMMU flushes on AMD
x86 hardware. Furthermore logic exists Xen to re-combine small page mappings into larger ones. Such re-combination could have occured in cases when it was not really safe/correct to do so.

Comment 1 Andrej Nemec 2018-11-20 14:11:40 UTC
References:

https://seclists.org/oss-sec/2018/q4/154

Comment 2 Andrej Nemec 2018-11-20 14:11:52 UTC
Acknowledgments:

Name: the Xen project

Comment 3 Andrej Nemec 2018-11-20 14:13:07 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1651665]