Xen ProjectXSA-290missing preemption in x86 PV page table unvalidation
4.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:N/A:C
6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
14.2%
ISSUE DESCRIPTION
XSA-273 changes required, among other things, making any PTE updates restartable. The changes making PTE updates restartable assumed that L2 pagetables would always be promoted preemptibly; but this turns out not to be the case when using the ‘linear pagetable’ feature; the result was that interrupted operations are not handled properly in certain cases.
Furthermore, previous security work making pagetable update preemptible failed to account for ‘linear pagetables’ at L3 and L4 levels, making it possible for operations to run for longer than acceptable times.
IMPACT
Malicious or buggy x86 PV guest kernels can mount a Denial of Service (DoS) attack affecting the whole system.
VULNERABLE SYSTEMS
All Xen versions are vulnerable.
Only x86 systems are affected. ARM systems are not affected.
Only Xen versions which permit linear page table use by PV guests are vulnerable.
Only x86 PV guests can leverage this vulnerability. x86 HVM guests cannot leverage this vulnerability.
Related
4.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:N/A:C
6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
14.2%