Bug 1851475 (CVE-2020-15565)

Summary: CVE-2020-15565 xen: insufficient cache write-back under VT-d leads to DoS (XSA-321)
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, ailan, bhu, bmasney, brdeoliv, dhoward, drjones, dvlasenk, fhrbata, hkrzesin, imammedo, jforbes, jshortt, jstancek, knoel, m.a.young, mrezanin, nmurray, pbonzini, ptalbert, robinlee.sysu, rvrbovsk, security-response-team, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Xen, in the page table sharing between the IOMMU and CPU. This flaw allows a malicious guest user to access sensitive information pertaining to other guests to crash the host, resulting in a denial of service and privilege escalation. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-07 19:30:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1854467    
Bug Blocks: 1851487    

Description Dhananjay Arunesh 2020-06-26 16:40:47 UTC 
A vulnerability was found in xe, where a malicious guest may be able to access sensitive information pertaining to other guests.  Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out.
Comment 1 Mauro Matteo Cascella 2020-07-01 15:49:19 UTC 
Acknowledgments:

Name: the Xen project
Comment 2 Mauro Matteo Cascella 2020-07-06 14:58:00 UTC 
Statement:

Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing is enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible. x86 AMD as well as ARM systems are not affected by this flaw.
Comment 3 Mauro Matteo Cascella 2020-07-06 14:58:03 UTC 
Mitigation:

- Suppress the use of page table sharing (command line option `iommu=no-sharept`). Note however that as of Xen version 4.13 there is also a respective per-guest control (`passthrough=` libxl guest config file option). If any guests have been created with an explicit setting, this setting may conflict with the addition of the `iommu=no-sharept` Xen command line option.

- Suppress the use of large HAP pages (command line options `hap_2mb=no` and `hap_1gb=no`).

- Avoid pass-through of PCI devices to HVM guests.
Comment 4 Mauro Matteo Cascella 2020-07-07 14:03:55 UTC 
External References:

https://xenbits.xen.org/xsa/advisory-321.html
Comment 5 Mauro Matteo Cascella 2020-07-07 14:05:10 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1854467]
Comment 6 Product Security DevOps Team 2020-07-07 19:30:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15565