Bug 1176341 (CVE-2020-25598) - VUL-0: CVE-2020-25598: xen: Missing unlock in XENMEM_acquire_resource error path (XSA-334 v3)
Summary: VUL-0: CVE-2020-25598: xen: Missing unlock in XENMEM_acquire_resource error p...
Status: RESOLVED FIXED
Alias: CVE-2020-25598
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/266939/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-25598:6.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-09 14:47 UTC by Marcus Meissner
Modified: 2021-09-06 14:54 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xsa334.patch (1.91 KB, patch)
2020-09-09 14:52 UTC, Marcus Meissner
Details | Diff
xsa334-4.12.patch (2.22 KB, patch)
2020-09-09 14:54 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2020-09-09 14:52:30 UTC
Created attachment 841520 [details]
xsa334.patch

xsa334.patch
Comment 2 Marcus Meissner 2020-09-09 14:54:26 UTC
Created attachment 841521 [details]
xsa334-4.12.patch

xsa334-4.12.patch
Comment 5 Wolfgang Frisch 2020-09-22 13:46:41 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-25598 / XSA-334
                               version 3

         Missing unlock in XENMEM_acquire_resource error path

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The RCU (Read, Copy, Update) mechanism is a synchronisation primitive.

A buggy error path in the XENMEM_acquire_resource exits without
releasing an RCU reference, which is conceptually similar to forgetting
to unlock a spinlock.

IMPACT
======

A buggy or malicious HVM stubdomain can cause an RCU reference to be
leaked.  This causes subsequent administration operations, (e.g. CPU
offline) to livelock, resulting in a host Denial of Service.

VULNERABLE SYSTEMS
==================

The buggy codepath has been present since Xen 4.12.  Xen 4.14 and later
are vulnerable to the DoS.  The side effects are believed to be benign
on Xen 4.12 and 4.13, but patches are provided nevertheless.

The vulnerability can generally only be exploited by x86 HVM VMs, as
these are generally the only type of VM which have a Qemu stubdomain.
x86 PV and PVH domains, as well as ARM VMs typically don't use a
stubdomain.

Only VMs using HVM stubdomains can exploit the vulnerability.  VMs using
PV stubdomains, or with emulators running in dom0 cannot exploit the
vulnerability.

MITIGATION
==========

Running only x86 PV or PVH VMs will avoid the vulnerability.
Reconfiguring x86 HVM guests to use a PV or no stubdom will also avoid
the vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa334.patch           Xen 4.13 - xen-unstable
xsa334-4.12.patch      Xen 4.12

$ sha256sum xsa334*
80e7725a56c4244d860e9aebb56710a8165f7ffeae3fb67365cbc85b3b0518b3  xsa334.meta
323cd9d24b2e95643833865a9943172c56edd25dfd170e4741034d28dfd0d4bd  xsa334.patch
85341ba6322ea6279c0851493ce61e822c8560850034f5f26cbcb26be85ca102  xsa334-4.12.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl9p/eYMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZV94H/jhwML6zObPz+zvjbwwAUoHsYiQ66CSUlxluqjN5
PXWpm56RzArptGIUakQyXKNI2Ht2fUn3Lu3w9JllujJRfmhbhiJJvI9Ar2QzOcri
+XylcK9rRspfmNUgXB629BTEcGUuo9/J+T+O4T544zfWUBncixyDq9/Q9SGAdz9c
kDZkL6UebpIFLtD6jrgYd4XAK9b1c6T7SmsGzq26m/zwGqJ1jol58kHl5GMXe7uX
rd9xZbERKIhaABbTQ10zY5IDIE4oplibSLOiJVSTz6KSyzD9by+M7oszqeIbIiRV
rY49lettdD4jfmzp5bbXQnf+9T31rG3AEHWaiOGdVcRFoq8=
=a23E
-----END PGP SIGNATURE-----
Comment 6 Swamp Workflow Management 2020-09-29 16:21:40 UTC
SUSE-SU-2020:2791-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    xen-4.13.1_08-3.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xen-4.13.1_08-3.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-09-29 16:27:42 UTC
SUSE-SU-2020:2790-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    xen-4.12.3_08-3.28.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xen-4.12.3_08-3.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-09-29 16:31:33 UTC
SUSE-SU-2020:2788-1: An update that solves 11 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1175534,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.3_08-3.24.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.3_08-3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-10-04 10:17:15 UTC
openSUSE-SU-2020:1608-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xen-4.13.1_08-lp152.2.9.1
Comment 10 Charles Arnold 2021-01-22 20:22:36 UTC
Backported and released to 15-SP1.
Comment 11 Marcus Meissner 2021-09-06 14:54:53 UTC
released