Bugzilla – Bug 1115045
VUL-0: CVE-2018-19965 : xen: x86: DoS from attempting to use INVPCID with a non-canonical addresses (XSA-279)
Last modified: 2024-04-15 10:46:12 UTC
public via oss-sec Xen Security Advisory XSA-279 version 2 x86: DoS from attempting to use INVPCID with a non-canonical addresses UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The INVPCID instruction raises #GP[0] if an attempt is made to invalidate a non-canonical address. Older flushing mechanisms such as INVLPG tolerate this without error, and perform no action. There is one guest accessible path in Xen where a non-canonical address was passed into the TLB flushing code. This previously had no ill effect, but became vulnerable with the introduction of PCID to reduce the performance hit from the Meltdown mitigations. IMPACT ====== A buggy or malicious PV guest can crash the host. VULNERABLE SYSTEMS ================== Only hardware which supports the INVPCID instruction is vulnerable. This is available on Intel Haswell processors and later. AMD x86 processors are not known to support this instruction, and ARM processors are entirely unaffected. Only versions of Xen with PCID support are vulnerable. Support first appeared in Xen 4.11 but was backported to the stable trees as part of the Meltdown (XSA-254 / CVE-2017-5754) fixes. Xen 4.10.2, 4.9.3, 4.8.4 as well as the stable-4.7 and 4.6 branches are vulnerable. The vulnerability is only exposed to 64-bit PV guests. 32-bit PV guests, as well as HVM/PVH guests cannot exploit the vulnerability. MITIGATION ========== Booting Xen with `pcid=0` or `invpcid=0` on the command line will work around the issue. Alternatively, running untrusted 64bit PV guests inside xen-shim will work around the issue. CREDITS ======= This issue was discovered by Matthew Daley. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa279.patch xen-unstable, Xen 4.11.x, Xen 4.10.x xsa279-4.9.patch Xen 4.9.x ... 4.7.x $ sha256sum xsa279* 40319fcf33348176eb14d7fc7c68c255cc7291013242ea444de6d00602024a11 xsa279.meta 0c1d50effe6645051a15dd83af57088dd4a055e26a23b1fa9e6c3722a7973f5d xsa279.patch fd34f29bc7e53359585135408cbbd12e12a003f59b135e81cc44186c5cddd40d xsa279-4.9.patch $
SUSE-SU-2018:4070-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1108940,1114405,1114423,1115040,1115045,1115047 CVE References: CVE-2018-18849,CVE-2018-18883,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): xen-4.9.3_03-3.47.1 SUSE Linux Enterprise Server 12-SP3 (src): xen-4.9.3_03-3.47.1 SUSE Linux Enterprise Desktop 12-SP3 (src): xen-4.9.3_03-3.47.1 SUSE CaaS Platform ALL (src): xen-4.9.3_03-3.47.1 SUSE CaaS Platform 3.0 (src): xen-4.9.3_03-3.47.1
openSUSE-SU-2018:4111-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1108940,1114405,1114423,1115040,1115045,1115047 CVE References: CVE-2018-18849,CVE-2018-18883,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966 Sources used: openSUSE Leap 42.3 (src): xen-4.9.3_03-34.1
SUSE-SU-2018:4300-1: An update that solves 9 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1027519,1078292,1091107,1094508,1103275,1103276,1103279,1105528,1108940,1114405,1115040,1115045,1115047 CVE References: CVE-2018-15468,CVE-2018-15469,CVE-2018-15470,CVE-2018-18883,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966,CVE-2018-3646 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): xen-4.10.2_04-3.9.1 SUSE Linux Enterprise Module for Basesystem 15 (src): xen-4.10.2_04-3.9.1
openSUSE-SU-2018:4304-1: An update that solves 9 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1027519,1078292,1091107,1094508,1103275,1103276,1103279,1105528,1108940,1114405,1115040,1115045,1115047 CVE References: CVE-2018-15468,CVE-2018-15469,CVE-2018-15470,CVE-2018-18883,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966,CVE-2018-3646 Sources used: openSUSE Leap 15.0 (src): xen-4.10.2_04-lp150.2.12.1
SUSE-SU-2019:0003-1: An update that solves 11 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1108940,1111014,1114405,1114423,1114988,1115040,1115043,1115044,1115045,1115047,1117756 CVE References: CVE-2018-17963,CVE-2018-18849,CVE-2018-18883,CVE-2018-19665,CVE-2018-19961,CVE-2018-19962,CVE-2018-19963,CVE-2018-19964,CVE-2018-19965,CVE-2018-19966,CVE-2018-19967 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): xen-4.11.1_02-2.3.1 SUSE Linux Enterprise Server 12-SP4 (src): xen-4.11.1_02-2.3.1 SUSE Linux Enterprise Desktop 12-SP4 (src): xen-4.11.1_02-2.3.1
SUSE-SU-2019:0020-1: An update that solves 6 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1027519,1105528,1108940,1114423,1115040,1115045,1115047,1116380,1117756 CVE References: CVE-2018-18849,CVE-2018-19665,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966 Sources used: SUSE OpenStack Cloud 7 (src): xen-4.7.6_05-43.45.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): xen-4.7.6_05-43.45.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): xen-4.7.6_05-43.45.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): xen-4.7.6_05-43.45.1 SUSE Enterprise Storage 4 (src): xen-4.7.6_05-43.45.1
SUSE-SU-2019:0827-1: An update that solves 15 vulnerabilities and has 10 fixes is now available. Category: security (important) Bug References: 1027519,1056336,1105528,1108940,1110924,1111007,1111011,1111014,1112188,1114423,1114988,1115040,1115045,1115047,1117756,1123157,1126140,1126141,1126192,1126195,1126196,1126198,1126201,1127400,1129623 CVE References: CVE-2017-13672,CVE-2018-10839,CVE-2018-17958,CVE-2018-17962,CVE-2018-17963,CVE-2018-18438,CVE-2018-18849,CVE-2018-19665,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966,CVE-2018-19967,CVE-2019-6778,CVE-2019-9824 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): xen-4.4.4_40-22.77.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:14011-1: An update that solves 14 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1110924,1111007,1111011,1111014,1112188,1114423,1114988,1115040,1115045,1115047,1117756,1123157,1126140,1126141,1126192,1126195,1126196,1129623 CVE References: CVE-2018-10839,CVE-2018-17958,CVE-2018-17962,CVE-2018-17963,CVE-2018-18438,CVE-2018-18849,CVE-2018-19665,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966,CVE-2018-19967,CVE-2019-6778,CVE-2019-9824 Sources used: SUSE Linux Enterprise Point of Sale 11-SP3 (src): xen-4.2.5_21-45.30.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xen-4.2.5_21-45.30.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1226-1: An update that solves 8 vulnerabilities and has 15 fixes is now available. Category: security (important) Bug References: 1026236,1027519,1069468,1105528,1114988,1115040,1115045,1115047,1116380,1117756,1119161,1123157,1126140,1126141,1126192,1126195,1126196,1126197,1126198,1126201,1126325,1127400,1129623 CVE References: CVE-2018-19665,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966,CVE-2018-19967,CVE-2019-6778,CVE-2019-9824 Sources used: openSUSE Leap 42.3 (src): xen-4.9.4_02-37.1
Resolved for SLE11-SP3 (Xen 4.2) and newer. Not yet submitted for SLE12-SP1 (Xen 4.5) but is queued up for when the next call for security submissions comes up.
did not see the 12-sp1 submisison in here, was it added?
(In reply to Marcus Meissner from comment #21) > did not see the 12-sp1 submisison in here, was it added? It was submitted several months ago but was not taken. Since then other security fixes have been added. New submission is SR#210587.
(In reply to Charles Arnold from comment #22) > (In reply to Marcus Meissner from comment #21) > > did not see the 12-sp1 submisison in here, was it added? > > It was submitted several months ago but was not taken. Since then other > security fixes have been added. > > New submission is SR#210587. and submitted again with 210590. This time with aarch64 disabled.
SUSE-SU-2020:0388-1: An update that fixes 25 vulnerabilities is now available. Category: security (important) Bug References: 1115045,1126140,1126141,1126192,1126195,1126196,1126201,1135905,1143797,1145652,1146874,1149813,1152497,1154448,1154456,1154458,1154461,1155945,1157888,1158003,1158004,1158005,1158006,1158007,1161181 CVE References: CVE-2018-12207,CVE-2018-19965,CVE-2019-11135,CVE-2019-12067,CVE-2019-12068,CVE-2019-12155,CVE-2019-14378,CVE-2019-15890,CVE-2019-17340,CVE-2019-17341,CVE-2019-17342,CVE-2019-17343,CVE-2019-17344,CVE-2019-17347,CVE-2019-18420,CVE-2019-18421,CVE-2019-18424,CVE-2019-18425,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19583,CVE-2020-7211 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): xen-4.5.5_28-22.64.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): xen-4.5.5_28-22.64.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Backported and released to 11-SP3.
done