CVE-2019-19578

Priority
Description
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS
users to cause a denial of service via degenerate chains of linear
pagetables, because of an incorrect fix for CVE-2017-15595. "Linear
pagetables" is a technique which involves either pointing a pagetable at
itself, or to another pagetable of the same or higher level. Xen has
limited support for linear pagetables: A page may either point to itself,
or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3,
and so on). XSA-240 introduced an additional restriction that limited the
"depth" of such chains by allowing pages to either *point to* other pages
of the same level, or *be pointed to* by other pages of the same level, but
not both. To implement this, we keep track of the number of outstanding
times a page points to or is pointed to another page table, to prevent both
from happening at the same time. Unfortunately, the original commit
introducing this reset this count when resuming validation of a
partially-validated pagetable, incorrectly dropping some "linear_pt_entry"
counts. If an attacker could engineer such a situation to occur, they might
be able to make loops or other arbitrary chains of linear pagetables, as
described in XSA-240. A malicious or buggy PV guest may cause the
hypervisor to crash, resulting in Denial of Service (DoS) affecting the
entire host. Privilege escalation and information leaks cannot be excluded.
All versions of Xen are vulnerable. Only x86 systems are affected. Arm
systems are not affected. Only x86 PV guests can leverage the
vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability.
Only systems which have enabled linear pagetables are vulnerable. Systems
which have disabled linear pagetables, either by selecting
CONFIG_PV_LINEAR_PT=n when building the hypervisor, or adding
pv-linear-pt=false on the command-line, are not vulnerable.
Notes
mdeslaurhypervisor packages are in universe. For
issues in the hypervisor, add appropriate
tags to each section, ex:
Tags_xen: universe-binary
Package
Source: xen (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.10 (Eoan Ermine):needs-triage
Ubuntu 20.04 (Focal Fossa):not-affected (4.11.3+24-g14b62ab3e5-1ubuntu1)
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
More Information

Updated: 2020-02-18 14:14:32 UTC (commit c0d61ad7c8b86ba29097cf5accfef1795e5a2080)