Bug 1176348 - (CVE-2020-25600) VUL-0: CVE-2020-25600: xen: out of bounds event channels available to 32-bit x86 domains (XSA-342 v3)
(CVE-2020-25600)
VUL-0: CVE-2020-25600: xen: out of bounds event channels available to 32-bit ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/266946/
CVSSv3.1:SUSE:CVE-2020-25600:7.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-09-09 15:13 UTC by Marcus Meissner
Modified: 2021-09-06 14:54 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xsa342.patch (5.57 KB, patch)
2020-09-09 15:14 UTC, Marcus Meissner
Details | Diff
xsa342-4.13.patch (5.25 KB, patch)
2020-09-09 15:14 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2020-09-09 15:14:01 UTC
Created attachment 841529 [details]
xsa342.patch

xsa342.patch
Comment 2 Marcus Meissner 2020-09-09 15:14:25 UTC
Created attachment 841530 [details]
xsa342-4.13.patch

xsa342-4.13.patch
Comment 5 Wolfgang Frisch 2020-09-22 13:49:05 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-25600 / XSA-342
                               version 3

      out of bounds event channels available to 32-bit x86 domains

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The so called 2-level event channel model imposes different limits on
the number of usable event channels for 32-bit x86 domains vs 64-bit
or Arm (either bitness) ones.  32-bit x86 domains can use only 1023
channels, due to limited space in their shared (between guest and Xen)
information structure, whereas all other domains can use up to 4095 in
this model.  The recording of the respective limit during domain
initialization, however, has occurred at a time where domains are still
deemed to be 64-bit ones, prior to actually honoring respective domain
properties.  At the point domains get recognized as 32-bit ones, the
limit didn't get updated accordingly.

Due to this misbehavior in Xen, 32-bit domains (including Domain 0)
servicing other domains may observe event channel allocations to succeed
when they should really fail.  Subsequent use of such event channels
would then possibly lead to corruption of other parts of the shared
info structure.

IMPACT
======

An unprivileged guest may cause another domain, in particular Domain 0,
to misbehave.  This may lead to a Denial of Service (DoS) for the entire
system.

VULNERABLE SYSTEMS
==================

All Xen versions from 4.4 onwards are vulnerable.  Xen versions 4.3 and
earlier are not vulnerable.

Only x86 32-bit domains servicing other domains are vulnerable.

Arm systems as well as x86 64-bit domains are not vulnerable.

MITIGATION
==========

There is no known workaround for x86 32-bit Domain 0.

The problem can be avoided by reducing the number of event channels
available to 32-bit x86 guests to no more than 1023.  For example,
setting "max_event_channels=1023" in the xl domain configuration, or
deleting any existing setting (since 1023 is the default for xl/libxl).

CREDITS
=======

This issue was discovered by Julien Grall of Amazon.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa342.patch           Xen 4.14 - xen-unstable
xsa342-4.13.patch      Xen 4.10 - 4.13

$ sha256sum xsa342*
8e85719f2783d5d0fc3da7a6aefb6c83717c7aa195d027b6aa52ff3a31c489aa  xsa342.meta
060caee3fb5971fca0f2fbdef622c52d9bc6e0ed9efad33de5b6b504651c2112  xsa342.patch
ef34839148d33b8d9cb03d56ffafdcdcbe9641a737211a50343d019132b169dd  xsa342-4.13.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl9p/ecMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ+RAIAKhulm14Ze1LmVTCGKcTJ525DARSmzGdki4iX3ow
qvQkV1B8TacFnuzZp1VfRnm5vRGBY/uXaFORw21Z/rWSRQ3xjgcazTsG0jhNQ8QG
onH1JaxE26BfYu12oTSEKyTWWu1XSdrFTxWp07p79+qHvKGY6GtGRWGhkI6YNgkD
X2TwRtt6GF6wRTq3PCc+7CGnn5jp7FRyJpI/2uiNZC6cL6lGUYNl9wgujSnefqQO
1sAZSc3DmvIuvFl4XWUeU7mH/6xL93sDN4vIrVllvcI9nEswqFwju6+SP76Pnkoh
KBSYNk79QNlbBdXJwNmYxqp4sYpH/JYEm6+u2Zw1hxCMgM4=
=EebG
-----END PGP SIGNATURE-----
Comment 6 Swamp Workflow Management 2020-09-29 16:15:53 UTC
SUSE-SU-2020:2789-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_16-3.41.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_16-3.41.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_16-3.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-09-29 16:18:38 UTC
SUSE-SU-2020:2786-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1175534,1176339,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_08-2.36.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_08-2.36.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_08-2.36.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_08-2.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-09-29 16:22:19 UTC
SUSE-SU-2020:2791-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    xen-4.13.1_08-3.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xen-4.13.1_08-3.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-09-29 16:25:36 UTC
SUSE-SU-2020:2787-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1175534,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_12-3.74.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_12-3.74.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_12-3.74.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_12-3.74.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_12-3.74.1
SUSE Enterprise Storage 5 (src):    xen-4.9.4_12-3.74.1
HPE Helion Openstack 8 (src):    xen-4.9.4_12-3.74.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-09-29 16:28:23 UTC
SUSE-SU-2020:2790-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    xen-4.12.3_08-3.28.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xen-4.12.3_08-3.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-09-29 16:32:11 UTC
SUSE-SU-2020:2788-1: An update that solves 11 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1175534,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.3_08-3.24.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.3_08-3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-10-01 16:15:57 UTC
SUSE-SU-2020:2822-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1172205,1173378,1173380,1175534,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-0543,CVE-2020-14364,CVE-2020-15565,CVE-2020-15567,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE OpenStack Cloud 7 (src):    xen-4.7.6_10-43.67.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xen-4.7.6_10-43.67.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xen-4.7.6_10-43.67.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_10-43.67.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-10-04 10:17:57 UTC
openSUSE-SU-2020:1608-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xen-4.13.1_08-lp152.2.9.1
Comment 15 Swamp Workflow Management 2020-10-22 16:17:37 UTC
SUSE-SU-2020:14521-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1172205,1173378,1173380,1175534,1176343,1176344,1176345,1176346,1176347,1176348,1176350
CVE References: CVE-2020-0543,CVE-2020-14364,CVE-2020-15565,CVE-2020-15567,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_44-61.55.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_44-61.55.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Charles Arnold 2021-01-22 20:27:56 UTC
Backported and released to 11-SP4.
Comment 17 Marcus Meissner 2021-09-06 14:54:31 UTC
released