missing preemption in x86 PV page table unvalidation

2019-03-05T12:00:00
ID XSA-290
Type xen
Reporter Xen Project
Modified 2019-03-05T12:24:00

Description

ISSUE DESCRIPTION

XSA-273 changes required, among other things, making any PTE updates restartable. The changes making PTE updates restartable assumed that L2 pagetables would always be promoted preemptibly; but this turns out not to be the case when using the 'linear pagetable' feature; the result was that interrupted operations are not handled properly in certain cases. Furthermore, previous security work making pagetable update preemptible failed to account for 'linear pagetables' at L3 and L4 levels, making it possible for operations to run for longer than acceptable times.

IMPACT

Malicious or buggy x86 PV guest kernels can mount a Denial of Service (DoS) attack affecting the whole system.

VULNERABLE SYSTEMS

All Xen versions are vulnerable. Only x86 systems are affected. ARM systems are not affected. Only Xen versions which permit linear page table use by PV guests are vulnerable. Only x86 PV guests can leverage this vulnerability. x86 HVM guests cannot leverage this vulnerability.