Bugzilla – Bug 1177412
VUL-0: CVE-2020-27672: xen: Race condition in Xen mapping code (XSA-345 v3)
Last modified: 2024-04-15 13:03:17 UTC
now public through https://xenbits.xen.org/xsa/advisory-345.html Xen Security Advisory XSA-345 version 3 x86: Race condition in Xen mapping code UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The Xen code handling the updating of the hypervisor's own pagetables tries to use 2MiB and 1GiB superpages as much as possible to maximize TLB efficiency. Some of the operations for checking and coalescing superpages take non-negligible amount of time; to avoid potential lock contention, this code also tries to avoid holding locks for the entire operation. Unfortunately, several potential race conditions were not considered; precisely-timed guest actions could potentially lead to the code writing to a page which has been freed (and thus potentially already reused). IMPACT ====== A malicious guest can cause a host denial-of-service. Data corruption or privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== Versions of Xen from at least 3.2 onward are affected. Only x86 systems are vulnerable. ARM systems are not vulnerable. Guests can only exercise the vulnerability if they have passed through hardware devices. Guests without passthrough configured cannot exploit the vulnerability. Furthermore, HVM and PVH guests can only exercise the vulnerability if they are running in shadow mode, and only when running on VT-x capable hardware (as opposed to SVM). This is believed to be Intel, Centaur and Shanghai CPUs. MITIGATION ========== Running all guests in HVM or PVH mode, in each case with HAP enabled, prevent those guests from exploiting the vulnerability. CREDITS ======= This issue was discovered by Hongyan Xia of Amazon. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa345/*.patch xen-unstable xsa345-4.14/*.patch Xen 4.14.x xsa345-4.13/*.patch Xen 4.12.x, Xen 4.13.x xsa345-4.11/*.patch Xen 4.11.x xsa345-4.10/*.patch Xen 4.10.x
SUSE-SU-2020:3052-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): xen-4.10.4_18-3.44.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): xen-4.10.4_18-3.44.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): xen-4.10.4_18-3.44.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3049-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): xen-4.13.1_10-3.13.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): xen-4.13.1_10-3.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3050-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): xen-4.12.3_10-3.27.1 SUSE Linux Enterprise Server 12-SP5 (src): xen-4.12.3_10-3.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3051-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): xen-4.12.3_10-3.31.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): xen-4.12.3_10-3.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3088-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): xen-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9 (src): xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP 12-SP4 (src): xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12-SP4-LTSS (src): xen-4.11.4_10-2.39.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1783-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: openSUSE Leap 15.2 (src): xen-4.13.1_10-lp152.2.12.1
openSUSE-SU-2020:1844-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: openSUSE Leap 15.1 (src): xen-4.12.3_10-lp151.2.27.1
SUSE-SU-2020:3611-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): xen-4.12.4_04-3.37.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): xen-4.12.4_04-3.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3615-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): xen-4.13.2_04-3.19.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): xen-4.13.2_04-3.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3627-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): xen-4.10.4_22-3.50.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): xen-4.10.4_22-3.50.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): xen-4.10.4_22-3.50.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:2162-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: openSUSE Leap 15.2 (src): xen-4.13.2_04-lp152.2.18.1
SUSE-SU-2020:3631-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): xen-4.9.4_14-3.77.1 SUSE OpenStack Cloud 8 (src): xen-4.9.4_14-3.77.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): xen-4.9.4_14-3.77.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): xen-4.9.4_14-3.77.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): xen-4.9.4_14-3.77.1 SUSE Enterprise Storage 5 (src): xen-4.9.4_14-3.77.1 HPE Helion Openstack 8 (src): xen-4.9.4_14-3.77.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:2192-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: openSUSE Leap 15.1 (src): xen-4.12.4_04-lp151.2.33.1
SUSE-SU-2020:3653-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): xen-4.11.4_14-2.45.1 SUSE OpenStack Cloud 9 (src): xen-4.11.4_14-2.45.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): xen-4.11.4_14-2.45.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): xen-4.11.4_14-2.45.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:14557-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178935,1178963 CVE References: CVE-2020-25723,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): xen-4.4.4_46-61.58.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.4_46-61.58.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3742-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE OpenStack Cloud 7 (src): xen-4.7.6_12-43.70.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): xen-4.7.6_12-43.70.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): xen-4.7.6_12-43.70.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): xen-4.7.6_12-43.70.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Backported and released to 11-SP1.
done