Bugzilla – Bug 1176343
VUL-0: CVE-2020-25604: xen: race when migrating timers between x86 HVM vCPU-s (XSA-336 v3)
Last modified: 2024-04-15 12:36:25 UTC
Created attachment 841523 [details] xsa336.patch xsa336.patch
Created attachment 841524 [details] xsa336-4.11.patch xsa336-4.11.patch
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2020-25604 / XSA-336 version 3 race when migrating timers between x86 HVM vCPU-s UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When migrating timers of x86 HVM guests between its vCPU-s, the locking model used allows for a second vCPU of the same guest also operating on the timers to release a lock that it didn't acquire. IMPACT ====== The most likely effect of the issue is a hang or crash of the hypervisor, i.e. a Denial of Service (DoS). VULNERABLE SYSTEMS ================== All versions of Xen are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only x86 HVM guests can leverage the vulnerability. x86 PV and PVH cannot leverage the vulnerability. Only guests with more than one vCPU can exploit the vulnerability. MITIGATION ========== Running only PV and PVH guests will avoid the vulnerability. CREDITS ======= This issue was discovered by Igor Druzhinin of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa336.patch Xen 4.12 - xen-unstable xsa336-4.11.patch Xen 4.10 - 4.11 $ sha256sum xsa336* 6cb13a54c2b0fcb6948a1c4045095da4e43aad262a1dd8993ea2a3bd90d4c72d xsa336.meta ecb59876fb92cfe0916ed5f3227a30efe038224c1f6ec36bc3706c4e2214552c xsa336.patch c0c7983bfd70eb54277af9fddfcc3cc95bbd745d92d9ffb71d5b32281c437510 xsa336-4.11.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl9p/eYMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZe28H/3oTZLe4eVhykU7a+BbN7ENJ2WMYsj0VM5wUiQyK ZrY3CnbO0ne6h0BeAgSNG1XRP9QvwJLOIm6gZkqoNCWyJK2IbCO/mlF4czBlpUBR FtM2wJz4FLzkiYMozk8TOZk6pCW6gaqxNiYr2L/3ijh2PQCMwnte/u+T3mZAAWxB nJbVnwux26nvRY/5XBZ7cZ/Qxi1DKed2cyf2A9oZ/AmGIMBT2r6SZ+arf+d4jHRG yQok+7gdXr1lOL/pPZZWepHtbPJMrrYxQZN/zKGt20c9ksBLiOyyQxTO4tegLx7N PxRgzy+DgY+xqYFA68xpM6jJxfWYmHpjAtbYtQoPvyPsIag= =0Kkw -----END PGP SIGNATURE-----
SUSE-SU-2020:2789-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): xen-4.10.4_16-3.41.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): xen-4.10.4_16-3.41.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): xen-4.10.4_16-3.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2786-1: An update that solves 10 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1175534,1176339,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): xen-4.11.4_08-2.36.1 SUSE OpenStack Cloud 9 (src): xen-4.11.4_08-2.36.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): xen-4.11.4_08-2.36.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): xen-4.11.4_08-2.36.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2791-1: An update that solves 10 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): xen-4.13.1_08-3.10.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): xen-4.13.1_08-3.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2787-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1175534,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): xen-4.9.4_12-3.74.1 SUSE OpenStack Cloud 8 (src): xen-4.9.4_12-3.74.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): xen-4.9.4_12-3.74.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): xen-4.9.4_12-3.74.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): xen-4.9.4_12-3.74.1 SUSE Enterprise Storage 5 (src): xen-4.9.4_12-3.74.1 HPE Helion Openstack 8 (src): xen-4.9.4_12-3.74.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2790-1: An update that solves 10 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): xen-4.12.3_08-3.28.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): xen-4.12.3_08-3.28.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2788-1: An update that solves 11 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1175534,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): xen-4.12.3_08-3.24.1 SUSE Linux Enterprise Server 12-SP5 (src): xen-4.12.3_08-3.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2822-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 1172205,1173378,1173380,1175534,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-0543,CVE-2020-14364,CVE-2020-15565,CVE-2020-15567,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE OpenStack Cloud 7 (src): xen-4.7.6_10-43.67.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): xen-4.7.6_10-43.67.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): xen-4.7.6_10-43.67.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): xen-4.7.6_10-43.67.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1608-1: An update that solves 10 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350 CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: openSUSE Leap 15.2 (src): xen-4.13.1_08-lp152.2.9.1
SUSE-SU-2020:14521-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1172205,1173378,1173380,1175534,1176343,1176344,1176345,1176346,1176347,1176348,1176350 CVE References: CVE-2020-0543,CVE-2020-14364,CVE-2020-15565,CVE-2020-15567,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): xen-4.4.4_44-61.55.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.4_44-61.55.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Backported and released to 11-SP1.
done