Bug 1158007 (CVE-2019-19577) - VUL-0: CVE-2019-19577: xen: XSA-311 - dynamic height for the IOMMU pagetables
Summary: VUL-0: CVE-2019-19577: xen: XSA-311 - dynamic height for the IOMMU pagetables
Status: RESOLVED FIXED
Alias: CVE-2019-19577
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/248102/
Whiteboard: CVSSv3:NVD:CVE-2019-19577:7.2:(AV:P/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-28 13:52 UTC by Wolfgang Frisch
Modified: 2024-04-15 12:22 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
xsa311-4.10-2.patch (6.80 KB, patch)
2019-12-05 15:48 UTC, Robert Frohl 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 14 Alexandros Toptsoglou 2019-12-11 12:15:30 UTC 
now public through oss

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-19577 / XSA-311
                               version 4

         Bugs in dynamic height handling for AMD IOMMU pagetables

UPDATES IN VERSION 4
====================

Public release.

Re-base 4.12 patch onto latest stable tree commits.

Updated metadata to add 4.13, update StableRef's

ISSUE DESCRIPTION
=================

When running on AMD systems with an IOMMU, Xen attempted to
dynamically adapt the number of levels of pagetables (the pagetable
height) in the IOMMU according to the guest's address space size.  The
code to select and update the height had several bugs.

Notably, the update was done without taking a lock which is necessary
for safe operation.

IMPACT
======

A malicious guest administrator can cause Xen to access data
structures while they are being modified, causing Xen to crash.
Privilege escalation is thought to be very difficult but cannot be
ruled out.

Additionally, there is a potential memory leak of 4kb per guest boot,
under memory pressure.

VULNERABLE SYSTEMS
==================

Only Xen on AMD CPUs is vulnerable.  Xen running on Intel CPUs is not
vulnerable.  ARM systems are not vulnerable.

Only systems where guests are given direct access to physical devices
are vulnerable.  Systems which do not use PCI pass-through are not
vulnerable.

Only HVM guests can exploit the vulnerability.  PV and PVH guests
cannot.

All versions of Xen with IOMMU support are vulnerable.

MITIGATION
==========

In some configurations, use of passthrough can be replaced with a
higher-level protocol such as Xen PV block or network devices.
There is no other mitigation.

CREDITS
=======

This issue was discovered by Sander Eikelenboom, along with Andrew Cooper of
Citrix.

RESOLUTION
==========

Applying the appropriate (set of) attached patch(es) resolves this issue.

xsa311.patch           xen-unstable, Xen 4.13.x
xsa311-4.12.patch      Xen 4.12.x
xsa311-4.11.patch      Xen 4.11.x
xsa311-4.10-*.patch    Xen 4.10.x
xsa311-4.9-*.patch     Xen 4.9.x
xsa311-4.8-*.patch     Xen 4.8.x

$ sha256sum xsa311*
ea929752043b5d4659cb605314887441daa33ee6450e755d6f077e57fc7abf9e  xsa311.meta
732975f33b6d893b984540c4c748eb5cdf1cf81bd565e41b57795458cae3ccad  xsa311.patch
27e30da9360eec850f6e7d8f2ea465d2f00a5a5a45c43042e4c18786c6c9338f  xsa311-4.8-1.patch
6e2372eb18f3ca25093445a93bcdf674ed2d7d3012e8611911ea2b9ca8d58bd4  xsa311-4.8-2.patch
c73bee7aa8fac02d0982b4fb21de053918f80cc0158bd5bfca68e3dc994759be  xsa311-4.9-1.patch
e89f5c381bd6a8fa8c5f63a829b586fdbefefe311c0f1084d2baeea3e933da66  xsa311-4.9-2.patch
c73bee7aa8fac02d0982b4fb21de053918f80cc0158bd5bfca68e3dc994759be  xsa311-4.10-1.patch
189a51048ad88efd855e6e78a307fff68e0c139225ce528c253558d266fffe02  xsa311-4.10-2.patch
1aaf26d1c231c8b5dd00900c00c18bf884d23b9568c9746866d92f39daf1c02f  xsa311-4.11.patch
5f43fa4628f6d1a8f6f903e662226a09524b8c354e06e1a6039837db656c0218  xsa311-4.12.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl3w3F8MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZgF0IAIOtY9LMbRkBWgc16lOs+MTDOC7h4fYqofjQetFN
wAJ2Q3w2QXN+Zt54L8dmc6+Zzvn9Do4AJeMvfCzFxuw2OaMBwcwI9DcEbZ+CvYsa
hiXf9xKBBEfCu8PjisRnBqKuyqrLQdBSad9vXcGOVloXiFzJ1wbKnSMBNig9ZTi2
us3c9MeUTnf95W/KTQNe2Gu8KQiogzzBUUifdB6YU0MNNhL60OzfSwgautD9XHfA
+NcRogDnf6KgAs6VKgHSDxyVWbvnaWvKWGF2M2QXwXHjqCH/ox87OIIgZ/HSodXB
e07vCaweCG4GgWDGQN5K3+9Cu1B6+t0RYzPYmuhPDy/kWF0=
=RJ0B
-----END PGP SIGNATURE-----
Comment 15 Swamp Workflow Management 2019-12-13 23:12:26 UTC 
SUSE-SU-2019:3297-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1152497,1154448,1154456,1154458,1154460,1154461,1154464,1155945,1157888,1158003,1158004,1158005,1158006,1158007
CVE References: CVE-2018-12207,CVE-2019-11135,CVE-2019-18420,CVE-2019-18421,CVE-2019-18422,CVE-2019-18423,CVE-2019-18424,CVE-2019-18425,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19582,CVE-2019-19583
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_06-3.59.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_06-3.59.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_06-3.59.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_06-3.59.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_06-3.59.1
SUSE Enterprise Storage 5 (src):    xen-4.9.4_06-3.59.1
SUSE CaaS Platform 3.0 (src):    xen-4.9.4_06-3.59.1
HPE Helion Openstack 8 (src):    xen-4.9.4_06-3.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2019-12-13 23:14:22 UTC 
SUSE-SU-2019:3296-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1158003,1158004,1158005,1158006,1158007
CVE References: CVE-2019-19577,CVE-2019-19578,CVE-2019-19580,CVE-2019-19581,CVE-2019-19582,CVE-2019-19583
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.1_10-3.8.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.1_10-3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2019-12-16 17:14:23 UTC 
SUSE-SU-2019:3310-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1154460,1154461,1154464,1157888,1158003,1158004,1158005,1158006,1158007
CVE References: CVE-2019-18422,CVE-2019-18423,CVE-2019-18424,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19582,CVE-2019-19583
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    xen-4.11.3_02-2.20.1
SUSE Linux Enterprise Server 12-SP4 (src):    xen-4.11.3_02-2.20.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    xen-4.11.3_02-2.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2019-12-16 17:16:10 UTC 
SUSE-SU-2019:3309-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1154460,1154464,1157888,1158003,1158004,1158005,1158006,1158007
CVE References: CVE-2019-18422,CVE-2019-18423,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19582,CVE-2019-19583
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    xen-4.10.4_08-3.28.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    xen-4.10.4_08-3.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2019-12-18 23:13:05 UTC 
SUSE-SU-2019:3338-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1027519,1152497,1157047,1157888,1158003,1158004,1158005,1158006,1158007
CVE References: CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19582,CVE-2019-19583
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    xen-4.12.1_06-3.9.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    xen-4.12.1_06-3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xen-4.12.1_06-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2020-02-06 14:15:30 UTC 
SUSE-SU-2020:0334-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1152497,1154448,1154456,1154458,1154461,1155945,1157888,1158003,1158004,1158005,1158006,1158007,1161181
CVE References: CVE-2018-12207,CVE-2019-11135,CVE-2019-18420,CVE-2019-18421,CVE-2019-18424,CVE-2019-18425,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19583,CVE-2020-7211
Sources used:
SUSE OpenStack Cloud 7 (src):    xen-4.7.6_06-43.59.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xen-4.7.6_06-43.59.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xen-4.7.6_06-43.59.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_06-43.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2020-02-17 17:14:08 UTC 
SUSE-SU-2020:0388-1: An update that fixes 25 vulnerabilities is now available.

Category: security (important)
Bug References: 1115045,1126140,1126141,1126192,1126195,1126196,1126201,1135905,1143797,1145652,1146874,1149813,1152497,1154448,1154456,1154458,1154461,1155945,1157888,1158003,1158004,1158005,1158006,1158007,1161181
CVE References: CVE-2018-12207,CVE-2018-19965,CVE-2019-11135,CVE-2019-12067,CVE-2019-12068,CVE-2019-12155,CVE-2019-14378,CVE-2019-15890,CVE-2019-17340,CVE-2019-17341,CVE-2019-17342,CVE-2019-17343,CVE-2019-17344,CVE-2019-17347,CVE-2019-18420,CVE-2019-18421,CVE-2019-18424,CVE-2019-18425,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19583,CVE-2020-7211
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_28-22.64.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_28-22.64.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2020-06-16 19:12:59 UTC 
SUSE-SU-2020:1630-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1157888,1158003,1158004,1158005,1158006,1158007,1161181,1167152,1168140,1168142,1169392,1172205
CVE References: CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19583,CVE-2020-0543,CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-7211
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_06-3.62.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_06-3.62.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_06-3.62.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_06-3.62.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_06-3.62.1
SUSE Enterprise Storage 5 (src):    xen-4.9.4_06-3.62.1
HPE Helion Openstack 8 (src):    xen-4.9.4_06-3.62.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2020-08-04 19:40:29 UTC 
SUSE-SU-2020:14444-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1152497,1154448,1154456,1154458,1154461,1155945,1157888,1158004,1158005,1158006,1158007,1161181,1163019,1168140,1169392,1174543
CVE References: CVE-2018-12207,CVE-2019-11135,CVE-2019-18420,CVE-2019-18421,CVE-2019-18424,CVE-2019-18425,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19583,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-7211,CVE-2020-8608
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_42-61.52.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_42-61.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Jan Beulich 2020-12-15 10:22:18 UTC 
(In reply to Alexandros Toptsoglou from comment #14)
> VULNERABLE SYSTEMS
> ==================
> 
> Only Xen on AMD CPUs is vulnerable.  Xen running on Intel CPUs is not
> vulnerable.  ARM systems are not vulnerable.
> 
> Only systems where guests are given direct access to physical devices
> are vulnerable.  Systems which do not use PCI pass-through are not
> vulnerable.
> 
> Only HVM guests can exploit the vulnerability.  PV and PVH guests
> cannot.
> 
> All versions of Xen with IOMMU support are vulnerable.

This was mis-classified - the problematic code was introduced in 4.1.
Comment 30 Charles Arnold 2021-01-22 19:01:55 UTC 
Backported and released to 11-SP3.
Comment 31 Marcus Meissner 2024-04-15 12:22:05 UTC 
released