Bugzilla – Bug 1176347
VUL-0: CVE-2020-25603: xen: Missing memory barriers when accessing/allocating an event channel (XSA-340 v3)
Last modified: 2020-12-30 13:31:42 UTC
Created attachment 841528 [details] xsa340.patch xsa340.patch
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2020-25603 / XSA-340 version 3 Missing memory barriers when accessing/allocating an event channel UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Event channels control structures can be accessed lockless as long as the port is considered to be valid. Such sequence is missing appropriate memory barrier (e.g smp_*mb()) to prevent both the compiler and CPU to re-order access. IMPACT ====== A malicious guest may be able to cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. Whether a system is vulnerable will depend on the CPU and compiler used to build Xen. For all the systems, the presence and the scope of the vulnerability depends on the precise re-ordering performed by the compiler used to build Xen. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code generation options). GCC documentation clearly suggests that re-ordering is possible. Arm systems will also be vulnerable if the CPU is able to re-order memory access. Please consult your CPU vendor. x86 systems are only vulnerable if a compiler performs re-ordering. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Julien Grall of Amazon. RESOLUTION ========== Applying the attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa340.patch Xen 4.10 - xen-unstable $ sha256sum xsa340* 72b75011b99e914ddb479082f88329063dcd1f55cc931059d950ecda276ee944 xsa340.meta 2bb088fcc1f8f79bf5ddb7b4e101cb1db76a343d2fb1cdafb7cd54612e4009da xsa340.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl9p/ecMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZaBsH/RbQVpTAfl0zd7RyKXO34WZnWsYfwC+l8erEtf51 rmETfcqQP5rjNZZKEIDWcoYbJQU1DdC5tfVarUEYbGzCxPyBXlckcNKWmIVpkWnC i+/XBALNjErN3AoJJOc8Tb3nfOZJlRrh3PXaqFo+xOqBn2vijgQJCXlpr1yRLDov CatUy5DWmzVWVgByrkHs9Y+hsK7hb+DzxFvNiZUE7kv8a+R3F3smNgXDe/N7AasL ZCJNVpfJGjqpk+EnffaTti9gd2aPxxzzmsWAoiW0C/6s/eJckhj/LxF7ZG5WbuVT inhxm6zkQwBwvSTM7GLZpOuPXPegI8/RX+fO6lqsD0bcuQo= =J1Xd -----END PGP SIGNATURE-----
SUSE-SU-2020:2789-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): xen-4.10.4_16-3.41.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): xen-4.10.4_16-3.41.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): xen-4.10.4_16-3.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2786-1: An update that solves 10 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1175534,1176339,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): xen-4.11.4_08-2.36.1 SUSE OpenStack Cloud 9 (src): xen-4.11.4_08-2.36.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): xen-4.11.4_08-2.36.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): xen-4.11.4_08-2.36.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2791-1: An update that solves 10 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): xen-4.13.1_08-3.10.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): xen-4.13.1_08-3.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2787-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1175534,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): xen-4.9.4_12-3.74.1 SUSE OpenStack Cloud 8 (src): xen-4.9.4_12-3.74.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): xen-4.9.4_12-3.74.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): xen-4.9.4_12-3.74.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): xen-4.9.4_12-3.74.1 SUSE Enterprise Storage 5 (src): xen-4.9.4_12-3.74.1 HPE Helion Openstack 8 (src): xen-4.9.4_12-3.74.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2790-1: An update that solves 10 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): xen-4.12.3_08-3.28.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): xen-4.12.3_08-3.28.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2788-1: An update that solves 11 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1175534,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): xen-4.12.3_08-3.24.1 SUSE Linux Enterprise Server 12-SP5 (src): xen-4.12.3_08-3.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2822-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 1172205,1173378,1173380,1175534,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-0543,CVE-2020-14364,CVE-2020-15565,CVE-2020-15567,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE OpenStack Cloud 7 (src): xen-4.7.6_10-43.67.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): xen-4.7.6_10-43.67.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): xen-4.7.6_10-43.67.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): xen-4.7.6_10-43.67.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1608-1: An update that solves 10 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: openSUSE Leap 15.2 (src): xen-4.13.1_08-lp152.2.9.1
SUSE-SU-2020:14521-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1172205,1173378,1173380,1175534,1176343,1176344,1176345,1176346,1176347,1176348,1176350 CVE References: CVE-2020-0543,CVE-2020-14364,CVE-2020-15565,CVE-2020-15567,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): xen-4.4.4_44-61.55.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.4_44-61.55.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Wolfgang Frisch from comment #5) > VULNERABLE SYSTEMS > ================== > > Systems running all versions of Xen are affected. Whether a system is > vulnerable will depend on the CPU and compiler used to build Xen. According to my judgement this issue really got introduced with the preparations for FIFO event channels, i.e. in 4.4. Prior to that if anything Arm would have been affected, which we don't care about especially in these very old versions.
(In reply to Jan Beulich from comment #16) > (In reply to Wolfgang Frisch from comment #5) > > VULNERABLE SYSTEMS > > ================== > > > > Systems running all versions of Xen are affected. Whether a system is > > vulnerable will depend on the CPU and compiler used to build Xen. > > According to my judgement this issue really got introduced with the > preparations for FIFO event channels, i.e. in 4.4. Prior to that if anything > Arm would have been affected, which we don't care about especially in these > very old versions. Thanks for the analysis. In that case the bug is resolved.