SB2020111136 - Gentoo update for Xen

Description

This security bulletin contains information about 16 secuirty vulnerabilities.

1) Use of uninitialized resource (CVE-ID: CVE-2020-25595)

The vulnerability allows a remote user to escalate privileges on the host operating system.

The vulnerability exists due to PCI passthrough code reading back untrusted values fromhardware registers in Xen. A remote user on a guest operating system can run a specially crafted program to obtain potentially sensitive information from memory and crash Xen or escalate privileges on the hypervisor.

The vulnerability affects x86 systems with PCI passthrough support.

2) Resource management error (CVE-ID: CVE-2020-25596)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within guest VM when processing state sanitization activities. A local user or application on the guest operating system can abuse SYSENTER to cause a crash of the guest VM.

3) Resource management error (CVE-ID: CVE-2020-25597)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due a login error in the handling of event channel operations in Xen, which assumes that an event channel, once valid, will not become invalid over the life time of a guest.An unprivileged guest may be able to crash Xen by resetting of all event channels.

4) Resource management error (CVE-ID: CVE-2020-25598)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing unlock in XENMEM_acquire_resource error path in Xen. A malicious HVM stubdomain can cause an RCU reference to be leaked.  This causes subsequent administration operations, (e.g. CPU offline) to livelock, resulting in a host denial of service.

The vulnerability only affects VMs using HVM stubdomains.

5) Race condition (CVE-ID: CVE-2020-25599)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to a race condition caused by uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77). A remote user on the PV guest can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the host system.

6) Resource management error (CVE-ID: CVE-2020-25600)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to the so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones.  32-bit x86 domains can use only 1023 channels, due to limited space in their shared (between guest and Xen) information structure, whereas all other domains can use up to 4095 in this model.  The recording of the respective limit during domain initialization, however, has occurred at a time where domains are still deemed to be 64-bit ones, prior to actually honoring respective domain properties.  At the point domains get recognized as 32-bit ones, the limit didn't get updated accordingly.

Due to this misbehavior in Xen, 32-bit domains (including Domain 0) servicing other domains may observe event channel allocations to succeed when they should really fail.  Subsequent use of such event channels would then possibly lead to corruption of other parts of the shared info structure.

As a result, an unprivileged guest may cause another domain, in particular Domain 0, to misbehave, leading to denial of service of the host system.

7) Resource exhaustion (CVE-ID: CVE-2020-25601)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application, as the FIFO event channel model allows guests to have a large number of event channels active at a time.  Closing all of these when resetting all event channels or when cleaning up after the guest may take extended periods of time.  So far there was no arrangement for preemption at suitable intervals, allowing a CPU to spend an almost unbounded amount of time in the processing of these operations. A remote user can consume all available CPU resources and perform a denial of service (DoS) attack of the entire host system.

8) Resource management error (CVE-ID: CVE-2020-25602)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when processing guest requests to the "MISC_ENABLE MSR" register in Xen. A remote privileged PV guest can run a specially crafted program and crash Xen.

Only non-non-Intel x86 systems are affected.

9) Resource management error (CVE-ID: CVE-2020-25603)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to event channels control structures can be accessed lockless as long as the port is considered to be valid. Such sequence is missing appropriate memory barrier (e.g smp_*mb()) to prevent both the compiler and CPU to re-order access. A malicious guest may be able to cause a hypervisor crash.

10) Race condition (CVE-ID: CVE-2020-25604)

The vulnerability allows a remote user to perform a denial of service (Dos) attack.

The vulnerability exists due to a race condition when migrating timers between x86 HVM vCPU-s in Xen. A remote user on a guest operating system can run a specially crafted program to crash the hypervisor.

11) Insufficient verification of data authenticity (CVE-ID: CVE-2020-27670)

The vulnerability allows a local authenticated user to execute arbitrary code.

An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a denial of service (data corruption), cause a data leak, or possibly gain privileges because an AMD IOMMU page-table entry can be half-updated.

12) Improper Privilege Management (CVE-ID: CVE-2020-27671)

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to improper privilege management within the IOMMU TLB implementation. A local user on a guest OS can escalate privileges on the system by running a specially crafted application.

13) Race condition (CVE-ID: CVE-2020-27672)

The vulnerability allows a local authenticated user to execute arbitrary code.

An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a host OS denial of service, achieve data corruption, or possibly gain privileges by exploiting a race condition that leads to a use-after-free involving 2MiB and 1GiB superpages.

14) Input validation error (CVE-ID: CVE-2020-27673)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the clear_linked(), consume_one_event(), __evtchn_fifo_handle_events() and evtchn_fifo_percpu_init() functions in drivers/xen/events/events_fifo.c, within the module_param(), DEFINE_RWLOCK(), enable_dynirq(), notify_remote_via_irq(), EXPORT_SYMBOL_GPL(), xen_irq_init(), xen_free_irq(), xen_send_IPI_one(), __xen_evtchn_do_upcall(), xen_setup_callback_vector(), xen_evtchn_cpu_prepare() and xen_init_IRQ() functions in drivers/xen/events/events_base.c, within the active_evtchns() and evtchn_2l_handle_events() functions in drivers/xen/events/events_2l.c. A local user can perform a denial of service (DoS) attack.

15) Buffer overflow (CVE-ID: CVE-2020-27674)

The vulnerability allows a local authenticated user to read and manipulate data.

An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.

16) NULL pointer dereference (CVE-ID: CVE-2020-27675)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in drivers/xen/events/events_base.c. A malicious guest can trigger a dom0 crash by sending events for a paravirtualized device while simultaneously performing its reconfiguration.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/glsa/202011-06