-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4064
             Issues with restartable PV type change operations
                              1 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Xen
Operating System:  Xen
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-18421  

Reference:         ESB-2019.4056

Original Bulletin: 
   http://xenbits.xen.org/xsa/advisory-299.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-18421 / XSA-299
                               version 4

           Issues with restartable PV type change operations

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

To avoid using shadow pagetables for PV guests, Xen exposes the actual
hardware pagetables to the guest.  In order to prevent the guest from
modifying these page tables directly, Xen keeps track of how pages are
used using a type system; pages must be "promoted" before being used
as a pagetable, and "demoted" before being used for any other type.
Xen also allows for "recursive" promotions: i.e., an operating system
promoting a page to an L4 pagetable may end up causing pages to be
promoted to L3s, which may in turn cause pages to be promoted to L2s,
and so on.  These operations may take an arbitrarily large amount of
time, and so must be re-startable.

Unfortunately, making recursive pagetable promotion and demotion
operations restartable is incredibly complicated, and the code
contains several races which, if triggered, can cause Xen to drop or
retain extra type counts, potentially allowing guests to get write
access to in-use pagetables.

IMPACT
======

A malicious PV guest administrator may be able to escalate their
privilege to that of the host.

VULNERABLE SYSTEMS
==================

All x86 systems with untrusted PV guests are vulnerable.

HVM and PVH guests cannot exercise this vulnerability.
ARM systems are not vulnerable because ARM guests are all PVH.

All security-supported Xen versions are vulnerable.

Note that these attacks require very precise timing, which may
be difficult to exploit in practice.

MITIGATION
==========

Running only HVM or PVH guests will avoid this vulnerability.

Running PV guests in "shim" mode will also avoid this vulnerability.

CREDITS
=======

This issue was discovered by George Dunlap of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa299/*.patch           xen-unstable
xsa299-4.12/*.patch      Xen 4.12.x
xsa299-4.11/*.patch      Xen 4.11.x
xsa299-4.10/*.patch      Xen 4.10.x
xsa299-4.9/*.patch       Xen 4.9.x
xsa299-4.8/*.patch       Xen 4.8.x

$ sha256sum xsa299* xsa299*/*
687fb0f3273a424726edb4d249b79cfc45d1ef7000610405b11eaac49baecaa8  xsa299.meta
6c8f46e57f61a5e1e2e5e628a32e4c9ae144218ce475309811bb9900d3fdda48  xsa299-4.8/0001-x86-mm-Clean-up-trailing-whitespace.patch
3409e71ed7bc199bcda33892ea6f70fe257c4f3906d74b4a6f4352415daeedb0  xsa299-4.8/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
1179fe0f1a591c542478bf8614501f8ddb67e342d7d452f6bff3b6a999f2b20f  xsa299-4.8/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
bc0352a1d82079c4072cc3871d0d397f7abb3c0480dfc3c5c542091d2ec7d7b0  xsa299-4.8/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
2b96857ef3e0f8259df7ad01600f1c30ca234668d6f26744c2ae0d3d7dded090  xsa299-4.8/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
fe119a8255e23a86845fa1ac5f93afa25acdaff705061c172ea9e0589b0bc1a4  xsa299-4.8/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
562415d5fdb4e173443a2aa211094743a722ef1fe5a2d19c59cb3d329e101984  xsa299-4.8/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
454296ac46ea5feea8866101e7c953bf6dbd37a5275f7b006eeb6d22cbae387d  xsa299-4.8/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch
f203a70da67f304c2ede516ef989b58ace6774eeee4eca919631c75f09860ba3  xsa299-4.8/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
1f4877c10ead99c51d822d29ebaed9774cdb97cca869fe1a1ccf905540e291c7  xsa299-4.8/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
733d260d731cce9902d66dc5b42ae9d10a319acda6dadcc426b6dfeba6e917da  xsa299-4.8/0011-x86-mm-Fix-nested-de-validation-on-error.patch
cd105c15e2fd915644cb7d31000df60e51d1054a807b575d5436ccb87c1e9a18  xsa299-4.8/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
d8db456679e652f5a33a0a448d379e3a88b0cf7ce1415ee46007873cfb6f49b7  xsa299-4.9/0001-x86-mm-Clean-up-trailing-whitespace.patch
e54df901b5f13d70643938ff365a09a43725637511251efc3ac55c45b80016f5  xsa299-4.9/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
8da540f32ff77f5871f646a6ef2847bc3adc2aecfa4698dcec4335b72e758616  xsa299-4.9/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
e97044ffb5edcc7f1094dd47e365f2f29971cacf784d8aaa9a0e42f770ca899d  xsa299-4.9/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
53977fd090d488f484e6191c6b68cbc59f771d8cf4aeb230b7b9f8ddc891a58e  xsa299-4.9/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
d10b9d434d341ac380e8a9c6fc4b3ddec8baf8dec9d565c2e66867f8d05497ba  xsa299-4.9/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
7e01debdbe59cfa734e63b5c9d5c2799aa25f961f0d065ce8c8bdb64d577b164  xsa299-4.9/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
12f0732907547367645db6300cff959f15118b91503165dc2c66083769ac7e56  xsa299-4.9/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch
06044bf56130dd845e08ed9af75f4aade186d48b1cea88d7862026bbe0bf51af  xsa299-4.9/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
2fea704a716d6ff8a589fba7bf5d71443e2b52f41f591f8173d50dcb3ba9a94b  xsa299-4.9/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
4bcfd94bdd77726e8ea1069081f5f544705b22752a185ee4e1f58c730a902b74  xsa299-4.9/0011-x86-mm-Fix-nested-de-validation-on-error.patch
580fa03182e40f122e3d21a5c71183b6a9500eae2afba490cf43514b75e15062  xsa299-4.9/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
c3bde8f42e75c0f98c22938267f947d4729e7372510dededa3750699ac8cb2f5  xsa299-4.10/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
0794fd0d20d71367977926f2393e354d4a43452a51f421616fa413acd68bf24a  xsa299-4.10/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
0591cd2fa566fcec43e2aa6e1cfb92629c816e55c7548b2534c5a7a84505cd06  xsa299-4.10/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
736966986c43bcdfcbf337fc87af6f430458bad5d105b33f7dfa0a1eb72f2416  xsa299-4.10/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
416db71e950838dbf5d024ae9ba8bb6e6685314608543fd8df0516db7786b811  xsa299-4.10/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
7d84aaf129401faa863565df084e776413dd07ec440c1a67db961b8a147651a4  xsa299-4.10/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
59d37dc3cfd811bcbbedb72ca9d80eb2d460dce4e373e581c88fdb6b874b4111  xsa299-4.10/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
746156888f0dc4a75164cd668dd05fdf3d9b11cc96205785384f84ebcd1df4ae  xsa299-4.10/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
bcc54d2b0653e584c89c0d219d5cd82e94c2629033ea8f1b22dfd3f373267bf5  xsa299-4.10/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
4829ba66647d344f1eaad632fddab4c8c51db513d1ae18385dec195b86e76936  xsa299-4.10/0010-x86-mm-Fix-nested-de-validation-on-error.patch
7ad0b06d2748da4e4b317f4cc8c829c7fb451bf86ad778d97d231acff7cfd940  xsa299-4.10/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
225fec9475b5992338ce19da982a759b3a551c653dbbb280295b00018a107d28  xsa299-4.11/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
fa910f573bde107b90fef4568fa500bf875d7303ac93642ed8a135d639bf7f0e  xsa299-4.11/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
f5fcf8ab6940d85fe43de61463ff00bcf17a22b94da4f2b28fa45d714b0255d0  xsa299-4.11/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
e1e49d767f08889b518423935869332a40f87e824bb93a0c2707f1f99e9f0328  xsa299-4.11/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
c0f5ce00516491b1f3d2eccf25fbd67d409d855e3d4b423490f1bc37b4477e87  xsa299-4.11/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
4562543c497c17cc3a793f67a75824043ca3dea69ccc456bf9f5546825282f0e  xsa299-4.11/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
90bc777691225eb4c55804702c2cd7f2913317b13334c27b9437ee60be672cca  xsa299-4.11/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
7903c9599ee47dc05647e5ec7a6ce3fe5e6331b527551286897429e97cf56f61  xsa299-4.11/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
c1ae9bad93e11a4a9253265318b67b45865e566b17ddd7f167bb88197a9b700c  xsa299-4.11/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
49a21bd396ab4af6b82aaa38dac733f4fde806587b5b126cd656f725b9c8eee7  xsa299-4.11/0010-x86-mm-Fix-nested-de-validation-on-error.patch
09df369fa52335e3e560af593d4e9843bab1da24aa1b4c905f9ea1ce8441af6e  xsa299-4.11/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
d27f07eb0020181487ec9dda15c6331125d6b0505fdce1ae67c0a9b524159e11  xsa299-4.12/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
00c2fb77366c427e226315cfb1cda1c67ce495ec8a0b400ff30924bc399bf283  xsa299-4.12/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
bc88c216e438af9e1dddf1e5374fd1c78c9867e8908ba3016c72d999aebaea4b  xsa299-4.12/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
cc6416c6311be82a2b89d5b14ceb9ecc6cb92ce9286bb03b91083c661186d28d  xsa299-4.12/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
732fbb80a6fc6364945e1b6534c921d503e2369c3cd25f425096549b71f75fa0  xsa299-4.12/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
20e37b3712b66111193bed02b368aff2ee0e7896dd55b5e6c928fbc97ec618b3  xsa299-4.12/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
20bec098f3ad474093ce33e4ae5e8cee5ff9f8504107c8a4ff76f2731abbab13  xsa299-4.12/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
71addb8014eeb51a6adc4377aaa4b74ac611a28a6f62865f7020a536a1a9cbc5  xsa299-4.12/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
71bd7d75f7878571d4ea4351ea10f487a1c1a86765f67c85a25308d5df24a40e  xsa299-4.12/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
1e58d49f72c1eb158db08a17a3805e2144c0d468b6388a9a8795b67f80a699a5  xsa299-4.12/0010-x86-mm-Fix-nested-de-validation-on-error.patch
67594f941f8cecbc0ff87dfedbdbd43f4e4234d049c1a5d62143153ae96954c1  xsa299-4.12/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
08179d90ea327bca328f3a45198c31166df2aa6fb459b148dd74c716c1d5bb88  xsa299/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
d37e7b4dd3c9d7da14a287d9fe6807f81d95bba8bdab79b729ed5aa3350fad70  xsa299/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
660fc01fb09aee7628d65d7893ec11bf77cfe79543e390656b59f0e60334d058  xsa299/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
2dc6ad4233ec572ba21632ab80b6149541f3169affb792e31930e3f7c6e72fc6  xsa299/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
175fd90422bf00879de2129cd1a86bbdeb1c15ff344d286ab9634bc3f1512c03  xsa299/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
afa26c8850085412a787d7f0cb3031f15181ee2c9b3b1a9b4a007bff7404457f  xsa299/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
6f0502b2377db2115faf9c7bcbf35898013dcec74170950c3aa7a0586ff1e174  xsa299/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
787c3eeaadfed46947fb17773fa8f9e9efe891658d7460eaf5291a4ca6155123  xsa299/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
77341c4d0ab62fbb7090d2a6b60902467563ae470ac0807ef40a3ac791d2933a  xsa299/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
e489f49f8783fb388161365072da585c049e05d80306cf963cec5ecbb3bc67c7  xsa299/0010-x86-mm-Fix-nested-de-validation-on-error.patch
17b9ae71c150747bff4d57eee8a918b1961e880e25ae2b9c0dbe933e005cb1a0  xsa299/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
$

NOTE ON RESOLUTION
==================

Even with these fixes, the code is still very complicated.  After the
embargo is up, we plan to try getting rid of automatic recursive
pagetable promotion entirely, instead requiring guest operating
systems to promote pages one-by-one themselves.  This would obviate
the need to have restartable operations, greatly simplifying the
reference counting code.

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2601kMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZiYAIAMx46nYNIJ5KwV4rCKkBW1O/EDOc5dqt9PjlIKWR
PbJ4rrs9ZObvRh1Xw7nNM/leexHNYClWGAGPp/pLOyfF4nw/9B13jMF0C39vP4Fd
FMzM0jKyZreWTU38NqkrAVHbawyZNkS//1PITZy6LvA+DvwsHBz34qFsUX8Fw3vd
pu7izoozEFCzTie0zrUqwKV7yIyJ+3u3b/SjGuou0nxrbyIGuz/HIxazcFxJWwZh
4Zww3yKWMvXVedg8a2ZP5Fi+8+ePurOKz6g48gOWYefCPYXASrEaAf6s2WUp9Yi1
akddy2WIHzqd3HfOqEVKE5y8bjVvEft7mOIqOVeJBpEzh1s=
=633F
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXbuF22aOgq3Tt24GAQgQhxAAmWxqJ+uoka52UvH1jfOxV/UarbKAAf4u
NlfvGvdSa3z/PVB+/14Le9o6sevRMN2hBJig3u5HtA9dQuj6UwH1y4j9ARsBnmBD
ZHZeWUHMHBzNPyTmKbadqg1pUYnrsXzZ8LYsoVrM1oiWEdr/EXb++IBCM7Qpc5Pa
cWCCe+DxuttLC2B1XtuXRH5LWde1h+wSjIb7EGEv0mrbv30ONhciiBtjgLfcJXf4
4GAZoYlkXlLP900thq4nij2VU7iQnLU+hUT+mtkPQimZ8PNI0zHmGNmi0pocdDL5
S2NqMLtq9TG03OBpswk2WN39OvJv0AIIAKWQGj88m26GvsuBHt2XU07g7Gg9sH7X
uCEpJZajGe6i99KtD8iuq5XF6Q0VLFf2V5UGI9PCtkAqb2SvM3MjkUnqMrKZLRef
07caqhdVep5QNvlH70Zzp8aNMtvA4biRaRyvsSMiPsnLC8pn7e1eI8h0U749ttZT
Ujh66GIvz34GkAQlKG6XOxiDY+nVVyz+n6R0k4oo2GVnLfLH+UNtIn0hd9OA8SkU
hh6WUrYW+fZxkfFJNBUgbQoKkbY2AxKRztPyhD7W4c47zA04OMIc9qIkt+CXHCEn
3sTSl72g4Gwu4Ie2z1/GsGPr24fTEdjxAnc/gOJgClU5AWvdwPdmBY4rjyNtcWi8
om15qLR0E/M=
=U1Pv
-----END PGP SIGNATURE-----