CVE-2019-19578

An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS
users to cause a denial of service via degenerate chains of linear
pagetables, because of an incorrect fix for CVE-2017-15595. “Linear
pagetables” is a technique which involves either pointing a pagetable at
itself, or to another pagetable of the same or higher level. Xen has
limited support for linear pagetables: A page may either point to itself,
or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3,
and so on). XSA-240 introduced an additional restriction that limited the
“depth” of such chains by allowing pages to either point to other pages
of the same level, or be pointed to by other pages of the same level, but
not both. To implement this, we keep track of the number of outstanding
times a page points to or is pointed to another page table, to prevent both
from happening at the same time. Unfortunately, the original commit
introducing this reset this count when resuming validation of a
partially-validated pagetable, incorrectly dropping some “linear_pt_entry”
counts. If an attacker could engineer such a situation to occur, they might
be able to make loops or other arbitrary chains of linear pagetables, as
described in XSA-240. A malicious or buggy PV guest may cause the
hypervisor to crash, resulting in Denial of Service (DoS) affecting the
entire host. Privilege escalation and information leaks cannot be excluded.
All versions of Xen are vulnerable. Only x86 systems are affected. Arm
systems are not affected. Only x86 PV guests can leverage the
vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability.
Only systems which have enabled linear pagetables are vulnerable. Systems
which have disabled linear pagetables, either by selecting
CONFIG_PV_LINEAR_PT=n when building the hypervisor, or adding
pv-linear-pt=false on the command-line, are not vulnerable.

Notes