Bug 1652235 (CVE-2018-19966, XSA-280) - CVE-2018-19966 xsa280 xen: Conflicts with shadow paging due to XSA-240 incomplete fix (XSA-280)
Summary: CVE-2018-19966 xsa280 xen: Conflicts with shadow paging due to XSA-240 incomp...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2018-19966, XSA-280
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1652251
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-21 18:05 UTC by Pedro Sampaio
Modified: 2019-09-29 15:03 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:43:11 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2018-11-21 18:05:31 UTC
ISSUE DESCRIPTION
=================

The fix for XSA-240 introduced a new field into the control structure
associated with each page of RAM.  This field was added to a union,
another member of which is used when Xen uses shadow paging for the
guest.  During migration, or with the L1TF (XSA-273) mitigation for
PV guests in effect, the two uses conflict.

IMPACT
======

A malicious or buggy x86 PV guest may cause Xen to crash, resulting in
a DoS (Denial of Service) affecting the entire host.  Privilege
escalation as well as information leaks cannot be ruled out.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been checked.

Only x86 systems are affected.  ARM systems are not affected.

Only Xen versions with the XSA-240 fixes applied are vulnerable.

Only Xen versions which permit linear page table use by PV guests are
vulnerable.

Only x86 PV guests can leverage this vulnerability.  x86 HVM guests
cannot leverage this vulnerability.

MITIGATION
==========

Not permitting linear page table use by PV guests avoids the
vulnerability.  This can be done both at build time, by turning off the
PV_LINEAR_PT configure option, or at runtime, by passing specifying
"pv-linear-pt=0" on the hypervisor command line.

On systems where the guest kernel is controlled by the host rather than
guest administrator, running only kernels which have themselves been
hardened against L1TF _and_ avoiding live migrating or snapshotting PV
guests will generally prevent this issue being triggered.  However
untrusted guest administrators can still trigger it unless further
steps are taken to prevent them from loading code into the kernel
(e.g. by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.

Running only HVM guests will avoid this vulnerability.

References:

https://xenbits.xen.org/xsa/advisory-280.html

Comment 1 Pedro Sampaio 2018-11-21 18:05:33 UTC
Acknowledgments:

Name: the Xen project
Upstream: Prgmr.com security team

Comment 2 Pedro Sampaio 2018-11-21 18:11:43 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1652251]


Note You need to log in before you can comment on or make changes to this bug.