Bugzilla – Bug 1177413
VUL-0: CVE-2020-27671 : xen: undue deferral of IOMMU TLB flushes (XSA-346 v2)
Last modified: 2022-08-11 23:15:05 UTC
now public through https://xenbits.xen.org/xsa/advisory-346.html Xen Security Advisory XSA-346 version 2 undue deferral of IOMMU TLB flushes UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= To efficiently change the physical to machine address mappings of a larger range of addresses for fully virtualized guests, Xen contains an optimization to coalesce per-page IOMMU TLB flushes into a single, wider flush after all adjustments have been made. While this is fine to do for newly introduced page mappings, the possible removal of pages from such guests during this operation should not be "optimized" in the same way. This is because the (typically) final reference of such pages is dropped before the coalesced flush, and hence the pages may have been put to a different use even though DMA initiated by their original owner mightstill be in progress. IMPACT ====== A malicious guest might be able to cause data corruption and data leaks. Host or guest Denial of Service (DoS), and privilege escalation, cannot be ruled out. VULNERABLE SYSTEMS ================== All Xen versions from 4.2 onwards are vulnerable. Xen versions 4.1 and earlier are not vulnerable. Only x86 HVM and PVH guests can leverage the vulnerability. Arm guests as well as x86 PV ones cannot leverage the vulnerability. Only x86 HVM and PVH guests which have physical devices passed through to them can leverage the vulnerability. Only x86 HVM and PVH guests configured to not share IOMMU and CPU page tables can leverage the vulnerability. Sharing these page tables is the default on capable Intel (VT-d) hardware. On AMD hardware sharing is not possible. On Intel (VT-d) hardware sharing may also not be possible, depending on hardware properties. Whether it is possible can be seen from the presence (or absence) of "iommu_hap_pt_share" on the "virt_caps" line of "xl info" output. Guests run in shadow mode can leverage the vulnerability. MITIGATION ========== Not passing through physical devices to untrusted guests will avoid the vulnerability. On systems permitting page table sharing, not suppressing use of the functionality will allow to avoid the vulnerability. This means guests should not be run in * shadow mode, i.e. hardware needs to be HAP (Hardware Assisted Paging) capable, there should not be "hap=0" in the guest's xl configuration file, and there should not be "hap=0" or equivalent on Xen's command line, * non-shared page table mode, i.e. hardware needs to be capable of sharing, there should not be "passthrough=sync_pt" in the guest's xl configuration file, and there should not be "iommu=no-sharept" or equivalent on Xen's command line. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate pair of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa346/xsa346-?.patch Xen 4.14 - xen-unstable xsa346/xsa346-4.13-?.patch Xen 4.13 xsa346/xsa346-4.12-?.patch Xen 4.12 xsa346/xsa346-4.11-?.patch Xen 4.11 xsa346/xsa346-4.10-?.patch Xen 4.10
SUSE-SU-2020:3052-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): xen-4.10.4_18-3.44.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): xen-4.10.4_18-3.44.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): xen-4.10.4_18-3.44.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3049-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): xen-4.13.1_10-3.13.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): xen-4.13.1_10-3.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3050-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): xen-4.12.3_10-3.27.1 SUSE Linux Enterprise Server 12-SP5 (src): xen-4.12.3_10-3.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3051-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): xen-4.12.3_10-3.31.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): xen-4.12.3_10-3.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Still affected, according to upstream: SUSE:SLE-11-SP3:Update SUSE:SLE-11-SP3:Update:Teradata SUSE:SLE-11-SP4:Update SUSE:SLE-12-SP2:Update SUSE:SLE-12-SP3:Update
SUSE-SU-2020:3088-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): xen-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9 (src): xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP 12-SP4 (src): xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12-SP4-LTSS (src): xen-4.11.4_10-2.39.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1783-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: openSUSE Leap 15.2 (src): xen-4.13.1_10-lp152.2.12.1
openSUSE-SU-2020:1844-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: openSUSE Leap 15.1 (src): xen-4.12.3_10-lp151.2.27.1
SUSE-SU-2020:3611-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): xen-4.12.4_04-3.37.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): xen-4.12.4_04-3.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3615-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): xen-4.13.2_04-3.19.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): xen-4.13.2_04-3.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3627-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): xen-4.10.4_22-3.50.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): xen-4.10.4_22-3.50.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): xen-4.10.4_22-3.50.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:2162-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: openSUSE Leap 15.2 (src): xen-4.13.2_04-lp152.2.18.1
SUSE-SU-2020:3631-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): xen-4.9.4_14-3.77.1 SUSE OpenStack Cloud 8 (src): xen-4.9.4_14-3.77.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): xen-4.9.4_14-3.77.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): xen-4.9.4_14-3.77.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): xen-4.9.4_14-3.77.1 SUSE Enterprise Storage 5 (src): xen-4.9.4_14-3.77.1 HPE Helion Openstack 8 (src): xen-4.9.4_14-3.77.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:2192-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: openSUSE Leap 15.1 (src): xen-4.12.4_04-lp151.2.33.1
SUSE-SU-2020:3653-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): xen-4.11.4_14-2.45.1 SUSE OpenStack Cloud 9 (src): xen-4.11.4_14-2.45.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): xen-4.11.4_14-2.45.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): xen-4.11.4_14-2.45.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:14557-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178935,1178963 CVE References: CVE-2020-25723,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): xen-4.4.4_46-61.58.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.4_46-61.58.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3742-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE OpenStack Cloud 7 (src): xen-4.7.6_12-43.70.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): xen-4.7.6_12-43.70.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): xen-4.7.6_12-43.70.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): xen-4.7.6_12-43.70.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Backported and released to 11-SP3.
(In reply to Charles Arnold from comment #25) > Backported and released to 11-SP3. Hi Charles, I working on bsc#1183926 which needs this backport; where could I find it?
(In reply to Firo Yang from comment #26) > (In reply to Charles Arnold from comment #25) > > Backported and released to 11-SP3. > > Hi Charles, I working on bsc#1183926 which needs this backport; where could > I find it? The internal build service repo, https://build.suse.de/package/show/Devel:Virt:SLE-11-SP3/xen There are two patches, xsa346-1.patch xsa346-2.patch
Released