1179514 – (CVE-2020-29570) VUL-0: CVE-2020-29570: xen: FIFO event channels control block related ordering (XSA-358 v4)

Bug 1179514 (CVE-2020-29570) - VUL-0: CVE-2020-29570: xen: FIFO event channels control block related ordering (XSA-358 v4)

Summary: VUL-0: CVE-2020-29570: xen: FIFO event channels control block related orderin...

Status:	RESOLVED FIXED

Alias:	CVE-2020-29570

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/272614/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-29570:6.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2020-12-02 09:50 UTC by Robert Frohl
Modified:	2024-04-15 14:21 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
XSA-358-v5.zip (2.77 KB, application/octet-stream) 2020-12-16 17:13 UTC, Wolfgang Frisch	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 6 Wolfgang Frisch 2020-12-15 13:17:57 UTC

via oss-security:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-29570 / XSA-358
                               version 4

          FIFO event channels control block related ordering

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

Recording of the per-vCPU control block mapping maintained by Xen and
that of pointers into the control block is reversed.  The consumer
assumes, seeing the former initialized, that the latter are also ready
for use.

IMPACT
======

Malicious or buggy guest kernels can mount a Denial of Service (DoS)
attack affecting the entire system.

VULNERABLE SYSTEMS
==================

All Xen versions from 4.4 onwards are vulnerable.  Xen versions 4.3 and
earlier are not vulnerable.

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

This issue was discovered by Julien Grall of Amazon.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa358.patch           xen-unstable - 4.10

$ sha256sum xsa358*
c8392659f71ea31574f9f82ab80a37e1359e8b8178d7b060167500bfb134eecc  xsa358.meta
ee719ff8dbf30794ddac1464267cb47c1aac7e39da32d82263f4aebc1a9b509b  xsa358.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/YqeAMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZlv0H/0tFfvZ8aKiUPFYwu/9WgNwLZIZJUgqIt1q1ooxt
6S+e8yHGhg3mBoAmfqN38sffVdD14z9DVFfIpMtrZpyfGzX2kmCPwC+MAtPliaNC
8rH7CDJHuQU35z5c/3q12pldtAFKLBhhqulg3Q5jLHi/HAKvypJFibLyqmqY+Uoo
yEMqpE1UtzhoYD4RsttcT1chGiBn8Gk8wBVcLx/SzzcU6xJ+X0F37VaIyTPW+69l
74ov4jzpt667mr4VtNOCmIAHuRZNLhValRUwzwSvGGjmiF8ACKbeKZ5IQ3m7gCBA
7fNRaRDdsKJi9amdifKfyn28u/+ltkPoCK6jAQcO1Eg/+0Q=
=lxX6
-----END PGP SIGNATURE-----

Comment 7 Wolfgang Frisch 2020-12-16 17:13:50 UTC

Created attachment 844544 [details]
XSA-358-v5.zip

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-29570 / XSA-358
                               version 5

          FIFO event channels control block related ordering

UPDATES IN VERSION 5
====================

"Unstable" patch updated (needed re-basing).

ISSUE DESCRIPTION
=================

Recording of the per-vCPU control block mapping maintained by Xen and
that of pointers into the control block is reversed.  The consumer
assumes, seeing the former initialized, that the latter are also ready
for use.

IMPACT
======

Malicious or buggy guest kernels can mount a Denial of Service (DoS)
attack affecting the entire system.

VULNERABLE SYSTEMS
==================

All Xen versions from 4.4 onwards are vulnerable.  Xen versions 4.3 and
earlier are not vulnerable.

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

This issue was discovered by Julien Grall of Amazon.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa358.patch           xen-unstable
xsa358-4.14.patch      Xen 4.14 - 4.10

$ sha256sum xsa358*
0e8428a52e9bedafb2d8cbbb8dffae4e882e4b0898e4e7df3576c99e0e607167  xsa358.meta
c0763c85287d138a02dc795aa5d2e903ca7efc641390bee53ea2f7473f4f95af  xsa358.patch
937a3786d3d0147aef63eed373ed1df9ede75d1fabf5ad8f6ccaacfbf7fbcf42  xsa358-4.14.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/aPhoMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZhWkH/08MG6OKo6O0vXv9PuznO/6JPjpSmAgkQYUBqYkw
cAp/yq1kXo3kA+TyHQUPZwBzWx+B0OAG7OBDIoyDlVRhj5Z24YINY+knWzocyXmn
7b6p8RdEf47cvWYn3Nugh2KXDdVo+CZ2C597kUBJSSuAJicT3BU3NIexXXLM9phU
zeGcm39u4/ucZoBAAzP8IlsjxTs3woZG8ZlNNRrcF2QF98AWK1joIR3j54bWqwKs
xvI+BLOXjhpr9Q2P/WY7zQsvWfw2dRsYpGMtPRpug+jpYOV51q//CnrDoSF7mXj9
oHMklW1n/C+U0NeXMXdiwb+PhcP40m1ltya0Vfal8rPH1G4=
=GzHh
-----END PGP SIGNATURE-----

Comment 8 Swamp Workflow Management 2020-12-16 20:19:03 UTC

SUSE-SU-2020:14578-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179477,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29130,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_48-61.61.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_48-61.61.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2020-12-18 20:21:48 UTC

SUSE-SU-2020:3881-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    xen-4.12.4_06-3.40.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xen-4.12.4_06-3.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2020-12-18 20:23:39 UTC

SUSE-SU-2020:3880-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1163019,1176782,1179477,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29130,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571,CVE-2020-8608
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.4_06-3.36.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.4_06-3.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2020-12-22 11:16:22 UTC

openSUSE-SU-2020:2313-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    xen-4.12.4_06-lp151.2.36.1

Comment 13 Swamp Workflow Management 2020-12-22 17:22:36 UTC

SUSE-SU-2020:3916-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_24-3.53.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_24-3.53.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_24-3.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2020-12-22 17:24:22 UTC

SUSE-SU-2020:3913-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179477,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29130,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE OpenStack Cloud 7 (src):    xen-4.7.6_14-43.73.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xen-4.7.6_14-43.73.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xen-4.7.6_14-43.73.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_14-43.73.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2020-12-22 17:26:07 UTC

SUSE-SU-2020:3914-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179477,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29130,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_16-2.48.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_16-2.48.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_16-2.48.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_16-2.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2020-12-22 17:29:26 UTC

SUSE-SU-2020:3915-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    xen-4.13.2_06-3.22.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xen-4.13.2_06-3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2020-12-26 11:17:09 UTC

openSUSE-SU-2020:2331-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xen-4.13.2_06-lp152.2.21.1

Comment 18 Swamp Workflow Management 2020-12-29 17:17:09 UTC

SUSE-SU-2020:3945-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179477,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29130,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_16-3.80.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_16-3.80.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_16-3.80.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_16-3.80.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_16-3.80.1
SUSE Enterprise Storage 5 (src):    xen-4.9.4_16-3.80.1
HPE Helion Openstack 8 (src):    xen-4.9.4_16-3.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Charles Arnold 2021-01-22 21:02:20 UTC

Backported and released to 11-SP3.

Comment 22 Marcus Meissner 2024-04-15 14:21:44 UTC

released