Bugzilla – Bug 965315
VUL-0: CVE-2016-2270: xen: x86: inconsistent cachability flags on guest mappings (XSA-154)
Last modified: 2021-01-21 18:28:06 UTC
Created attachment 664586 [details] upstream patch ISSUE DESCRIPTION ================= Multiple mappings of the same physical page with different cachability setting can cause problems. While one category (risk of using stale data) affects only guests themselves (and hence avoiding this can be left for them to control), the other category being Machine Check exceptions can be fatal to entire hosts. According to the information we were able to gather, only mappings of MMIO pages may surface this second category, but even for them there were cases where the hypervisor did not properly enforce consistent cachability. IMPACT ====== A malicious guest administrator might be able to cause a reboot, denying service to the entire host. VULNERABLE SYSTEMS ================== All Xen versions are affected. Only x86 guests given control over some physical device can trigger this vulnerability. x86 systems are vulnerable. ARM systems are not vulnerable. The vulnerability depends on the system response to mapping the same memory with different cacheability. On some systems this is harmless; on others, depending on CPU and chipset, it may be fatal. MITIGATION ========== Not handing physical devices to guests will also avoid this issue. RESOLUTION ========== Applying the attached patch resolves this issue to the best of our knowledge. However, no formal description of CPU behavior in the cases of interest was provided to us by Intel, and no response at all was received from AMD to a respective inquiry. However, unfortunately, we are aware of a potential performance regression with this patch on some systems. This patch might cause the performance regression even if no hardware passthrough is configured This depends on the peripherals present in the system, and the behaviour of the drivers used for those peripherals. A resolution without this potential performance regression is not currently available. xsa154.patch xen-unstable, Xen 4.6.x $ sha256sum xsa154* 4c21b532ba7f00716e4155693ad25619ebc726dbe877d008f424e67df2b7fe60 xsa154.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patch described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However deployment of the mitigations described above is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because the configuration change would be visible to the guest, which could lead to the rediscovery of the vulnerability. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team.
bugbot adjusting priority
This is CVE-2016-2270
public: http://seclists.org/oss-sec/2016/q1/356
This bug may be included in one or more of the submissions listed below. SUSE:SLE-12-SP1:Update: 98638 SUSE:SLE-12:Update: 98642 SUSE:SLE-11-SP4:Update: 98646 SUSE:SLE-11-SP3:Update: 98650 SUSE:SLE-11-SP2:Update: 98654 SUSE:SLE-11-SP1:Update:Teradata: 98658 SUSE:SLE-11-SP1:Update: 98662 SUSE:SLE-10-SP4:Update:Test: 98666 SUSE:SLE-10-SP3:Update:Test: 98670 openSUSE:Factory: 362063 openSUSE:Leap:42.1:Update: 362057 openSUSE:13.2:Update: 362060
SUSE-SU-2016:0873-1: An update that solves 43 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 864391,864655,864769,864805,864811,877642,897654,901508,902737,924018,928393,945404,945989,954872,956829,957162,957698,957988,958007,958009,958491,958523,958917,959005,959332,959387,959695,960334,960707,960725,960835,960861,960862,961332,961358,961691,962320,963782,963923,964413,965315,965317,967012,967013,967969,969121,969122,969350 CVE References: CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-7549,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538,CVE-2016-2841 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): xen-4.5.2_06-7.1 SUSE Linux Enterprise Server 12-SP1 (src): xen-4.5.2_06-7.1 SUSE Linux Enterprise Desktop 12-SP1 (src): xen-4.5.2_06-7.1
SUSE-SU-2016:0955-1: An update that solves 46 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 864391,864655,864673,864678,864682,864769,864805,864811,877642,897654,901508,902737,924018,928393,945404,945989,954872,956829,957162,957988,958007,958009,958491,958523,958917,959005,959387,959695,959928,960334,960707,960725,960835,960861,960862,961332,961358,961691,962320,963782,963923,964413,965315,965317,967012,967013,967630,967969,969121,969122,969350 CVE References: CVE-2013-4527,CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-7549,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538,CVE-2016-2841 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xen-4.4.4_02-32.1 SUSE Linux Enterprise Server 11-SP4 (src): xen-4.4.4_02-32.1 SUSE Linux Enterprise Desktop 11-SP4 (src): xen-4.4.4_02-32.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.4_02-32.1
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2016-05-06. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62613
openSUSE-SU-2016:0995-1: An update that fixes 33 vulnerabilities is now available. Category: security (important) Bug References: 944463,944697,945989,956829,960334,960707,960725,960835,960861,960862,961332,961358,961691,962335,962360,962611,962627,962632,962642,962758,963782,964413,964431,964452,964644,964925,964929,964950,965156,965315,965317,967012,967969 CVE References: CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5239,CVE-2015-5278,CVE-2015-6815,CVE-2015-6855,CVE-2015-7512,CVE-2015-8345,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1981,CVE-2016-2198,CVE-2016-2270,CVE-2016-2271,CVE-2016-2392,CVE-2016-2538 Sources used: openSUSE 13.2 (src): xen-4.4.4_02-43.1
SUSE-SU-2016:1154-1: An update that solves 26 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 864391,864655,864769,864805,864811,877642,897654,901508,902737,945989,957162,957988,958007,958009,958491,958523,959005,960707,960725,960861,960862,961691,963782,965315,965317,967013,967630,969350 CVE References: CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2015-5278,CVE-2015-7512,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8743,CVE-2015-8745,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1981,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2841 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): xen-4.1.6_08-26.1
SUSE-SU-2016:1318-1: An update that solves 45 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 954872,956832,957988,958007,958009,958493,958523,958918,959006,959387,959695,960707,960726,960836,960861,960862,961332,961358,961692,962321,962335,962360,962611,962627,962632,962642,962758,963783,963923,964415,964431,964452,964644,964746,964925,964929,964947,964950,965112,965156,965269,965315,965317,967090,967101,968004,969125,969126 CVE References: CVE-2013-4527,CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-7549,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): xen-4.4.4_02-22.19.1 SUSE Linux Enterprise Server 12 (src): xen-4.4.4_02-22.19.1 SUSE Linux Enterprise Desktop 12 (src): xen-4.4.4_02-22.19.1
SUSE-SU-2016:1445-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 960726,962627,964925,964947,965315,965317,967101,969351 CVE References: CVE-2014-0222,CVE-2014-7815,CVE-2015-5278,CVE-2015-8743,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2841 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): xen-3.2.3_17040_46-0.25.1
SUSE-SU-2016:1745-1: An update that solves 35 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 864391,864655,864673,864678,864682,864769,864805,864811,877642,897654,901508,902737,928393,945404,945989,954872,956829,957162,957988,958007,958009,958491,958523,959005,959695,959928,960707,960725,960861,960862,961332,961691,963782,965315,965317,967012,967013,967630,967969,969350 CVE References: CVE-2013-4527,CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8743,CVE-2015-8745,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1981,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538,CVE-2016-2841 Sources used: SUSE Linux Enterprise Server 11-SP3-LTSS (src): xen-4.2.5_20-24.9 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xen-4.2.5_20-24.9