Bugzilla – Bug 1177409
VUL-0: CVE-2020-27674: xen: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286 v5)
Last modified: 2024-04-15 13:03:06 UTC
now public through https://xenbits.xen.org/xsa/advisory-286.html Xen Security Advisory XSA-286 version 4 x86 PV guest INVLPG-like flushes may leave stale TLB entries UPDATES IN VERSION 4 ==================== Warn about performance impact. Public release. ISSUE DESCRIPTION ================= x86 PV guest kernels may use hypercalls with INVLPG-like behavior to invalidate TLB entries even after changes to non-leaf page tables. Such changes to non-leaf page tables will, however, also render stale possible TLB entries created by Xen's internal use of linear page tables to process guest requests like update-va-mapping. Invalidation of these TLB entries has been missing, allowing subsequent guest requests to change address mappings for one process to potentially modify memory meanwhile in use elsewhere. IMPACT ====== Malicious x86 PV guest user mode may be able to escalate their privilege to that of the guest kernel. VULNERABLE SYSTEMS ================== All versions of Xen expose the vulnerability. The vulnerability is exposed to x86 PV guests only. x86 HVM/PVH guests as well as ARM ones are not vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Jann Horn of Google Project Zero. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that these patches are known to produce serious performence problems for at least some workloads. Work is ongoing to improve the performance, and this XSA will be updated when new patches are available. xsa286/*.patch xen-unstable xsa286-4.14/*.patch Xen 4.14.x xsa286-4.13/*.patch Xen 4.13.x xsa286-4.12/*.patch Xen 4.12.x xsa286-4.11/*.patch Xen 4.11.x xsa286-4.10/*.patch Xen 4.10.x
SUSE-SU-2020:3052-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): xen-4.10.4_18-3.44.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): xen-4.10.4_18-3.44.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): xen-4.10.4_18-3.44.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3049-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): xen-4.13.1_10-3.13.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): xen-4.13.1_10-3.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3050-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): xen-4.12.3_10-3.27.1 SUSE Linux Enterprise Server 12-SP5 (src): xen-4.12.3_10-3.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3051-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): xen-4.12.3_10-3.31.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): xen-4.12.3_10-3.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3088-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): xen-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9 (src): xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP 12-SP4 (src): xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12-SP4-LTSS (src): xen-4.11.4_10-2.39.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1783-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: openSUSE Leap 15.2 (src): xen-4.13.1_10-lp152.2.12.1
Xen Security Advisory XSA-286 version 5 x86 PV guest INVLPG-like flushes may leave stale TLB entries UPDATES IN VERSION 5 ==================== Patches rewritten to use a completely different approach. The patches supplied in XSA-286 version 4 were found to have a significant performance impact. An alternative approach was developed and has now been committed to the relevant Xen branches. The alternative approach is simpler and mitigates the performance problems. At the time of writing the patches in XSA-286 v4 are believed to be correct and sound, but if we discover that this is not the case we will not issue a further update. We recommend the use of the patches provided in the Xen git branches, which are the same as those attached in this version of the advisory. ISSUE DESCRIPTION ================= x86 PV guest kernels may use hypercalls with INVLPG-like behavior to invalidate TLB entries even after changes to non-leaf page tables. Such changes to non-leaf page tables will, however, also render stale possible TLB entries created by Xen's internal use of linear page tables to process guest requests like update-va-mapping. Invalidation of these TLB entries has been missing, allowing subsequent guest requests to change address mappings for one process to potentially modify memory meanwhile in use elsewhere. IMPACT ====== Malicious x86 PV guest user mode may be able to escalate their privilege to that of the guest kernel. VULNERABLE SYSTEMS ================== All versions of Xen expose the vulnerability. The vulnerability is exposed to x86 PV guests only. x86 HVM/PVH guests as well as ARM ones are not vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Jann Horn of Google Project Zero. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. xsa286-unstable/*.patch xen-unstable xsa286-4.14/*.patch Xen 4.14.x xsa286-4.13/*.patch Xen 4.13.x xsa286-4.12/*.patch Xen 4.12.x xsa286-4.11/*.patch Xen 4.11.x xsa286-4.10/*.patch Xen 4.10.x
Created attachment 843303 [details] xsa286v5
openSUSE-SU-2020:1844-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 JIRA References: Sources used: openSUSE Leap 15.1 (src): xen-4.12.3_10-lp151.2.27.1
SUSE-SU-2020:3611-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): xen-4.12.4_04-3.37.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): xen-4.12.4_04-3.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3615-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): xen-4.13.2_04-3.19.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): xen-4.13.2_04-3.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3627-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): xen-4.10.4_22-3.50.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): xen-4.10.4_22-3.50.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): xen-4.10.4_22-3.50.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:2162-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: openSUSE Leap 15.2 (src): xen-4.13.2_04-lp152.2.18.1
SUSE-SU-2020:3631-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): xen-4.9.4_14-3.77.1 SUSE OpenStack Cloud 8 (src): xen-4.9.4_14-3.77.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): xen-4.9.4_14-3.77.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): xen-4.9.4_14-3.77.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): xen-4.9.4_14-3.77.1 SUSE Enterprise Storage 5 (src): xen-4.9.4_14-3.77.1 HPE Helion Openstack 8 (src): xen-4.9.4_14-3.77.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:2192-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: openSUSE Leap 15.1 (src): xen-4.12.4_04-lp151.2.33.1
SUSE-SU-2020:3653-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): xen-4.11.4_14-2.45.1 SUSE OpenStack Cloud 9 (src): xen-4.11.4_14-2.45.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): xen-4.11.4_14-2.45.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): xen-4.11.4_14-2.45.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:14557-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178935,1178963 CVE References: CVE-2020-25723,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): xen-4.4.4_46-61.58.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.4_46-61.58.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3742-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1177409,1177412,1177413,1177414,1178591,1178963 CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 JIRA References: Sources used: SUSE OpenStack Cloud 7 (src): xen-4.7.6_12-43.70.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): xen-4.7.6_12-43.70.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): xen-4.7.6_12-43.70.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): xen-4.7.6_12-43.70.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Backported and released to 11-SP1.
done