Xen ProjectXSA-295Unlimited Arm Atomics Operations
4.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:N/A:C
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
5.1%
ISSUE DESCRIPTION
Software targeting pre-Armv8.1-A hardware, Xen included, commonly implements atomics using Load/Store exclusive instructions in a loop that will terminate once the store succeeded.
As per the Armv8-A Architecture Reference Manual (ARM DDI0487D.a), paragraph 2.9.5 “Load-Exclusive and Store-Exclusive instruction usage restrictions”, page B2-143:
“”" It is permissible for the LoadExcl / StoreExcl loop not to make forward progress if a different thread is repeatedly doing any of the following in a tight loop:
- Performing stores to a PA covered by the Exclusives monitor.
- Prefetching with intent to write to a PA covered by the Exclusives monitor.
- Executing data cache clean, data cache invalidate, or data cache clean and invalidate instructions to a PA covered by the Exclusives monitor.
- Executing instruction cache invalidate all instructions.
- Executing instruction cache invalidate by VA instructions to a PA covered by the Exclusives monitor. “”"
The underlying LoadExcl or StoreExcl operation might never succeed, resulting in an unlimited loop in the hypervisor.
A similar, but independent, issue occurs when compare-and-exchange operations are misused:
do { old = *addr; } while (cmpxchg(addr, old, new) != new);
This pattern is not safe, because the operation may continuously fail if another thread in a guest is continuously modifying the value. An instance of this pattern was found in Xen.
IMPACT
An attacker in a domU could perform a denial of service attack on Xen by accessing a memory region shared with the hypervisor, while Xen is performing an atomic operation on the same region. As a result Xen could end up looping boundlessly. See the issue description for more details on the memory accesses that affect LoadExcl and StoreExcl operations.
VULNERABLE SYSTEMS
Systems running all versions of Xen are affected.
x86 processors are not affected. Arm processors are vulnerable, both Armv7 and Armv8.
NOTE REGARDING LACK OF EMBARGO
Other Open Source projects released fixes to the public before we could arrange for an organized disclosure.
Related
4.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:N/A:C
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
5.1%