Allele Security Alert
ASA-2019-00624
Identifier(s)
ASA-2019-00624, CVE-2019-18421, XSA-299
Title
Issues with restartable PV type change operations
Vendor(s)
The Xen Project
Product(s)
Xen
Affected version(s)
All security-supported Xen versions
Fixed version(s)
Xen 4.8 with the following patches applied:
[PATCH 01/12] x86/mm: Clean up trailing whitespace
https://xenbits.xen.org/xsa/xsa299-4.8/0001-x86-mm-Clean-up-trailing-whitespace.patch
[PATCH 02/12] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.8/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
[PATCH 03/12] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.8/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
[PATCH 04/12] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.8/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
[PATCH 05/12] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.8/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
[PATCH 06/12] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.8/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
[PATCH 07/12] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.8/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
[PATCH 08/12] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.8/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch
[PATCH 09/12] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.8/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
[PATCH 10/12] x86/mm: Properly handle linear pagetable promotion
failures
https://xenbits.xen.org/xsa/xsa299-4.8/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
[PATCH 11/12] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.8/0011-x86-mm-Fix-nested-de-validation-on-error.patch
[PATCH 12/12] x86/mm: Don’t drop a type ref unless you held a ref to
begin with
https://xenbits.xen.org/xsa/xsa299-4.8/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
Xen 4.9 with the following patches applied:
[PATCH 01/12] x86/mm: Clean up trailing whitespace
https://xenbits.xen.org/xsa/xsa299-4.9/0001-x86-mm-Clean-up-trailing-whitespace.patch
[PATCH 02/12] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.9/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
[PATCH 03/12] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.9/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
[PATCH 04/12] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.9/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
[PATCH 05/12] x86/mm: Use flags for _put_page_type rather than a
boolean
https://xenbits.xen.org/xsa/xsa299-4.9/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
[PATCH 06/12] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.9/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
[PATCH 07/12] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.9/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
[PATCH 08/12] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.9/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch
[PATCH 09/12] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.9/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
[PATCH 10/12] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.9/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
[PATCH 11/12] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.9/0011-x86-mm-Fix-nested-de-validation-on-error.patch
[PATCH 12/12] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.9/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
Xen 4.10 with the following patches applied:
[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.10/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.10/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.10/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.10/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.10/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.10/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.10/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.10/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.10/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.10/0010-x86-mm-Fix-nested-de-validation-on-error.patch
[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.10/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
Xen 4.11 with the following patches applied:
[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.11/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.11/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.11/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.11/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.11/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.11/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.11/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.11/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.11/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.11/0010-x86-mm-Fix-nested-de-validation-on-error.patch
[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.11/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
Xen 4.12 with the following patches applied:
[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.12/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.12/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.12/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.12/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.12/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when
preempting
https://xenbits.xen.org/xsa/xsa299-4.12/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.12/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.12/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.12/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.12/0010-x86-mm-Fix-nested-de-validation-on-error.patch
[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.12/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
Xen -unstable with the following patches applied:
[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a
boolean
https://xenbits.xen.org/xsa/xsa299/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299/0010-x86-mm-Fix-nested-de-validation-on-error.patch
[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
Proof of concept
Unknown
Description
A malicious PV guest administrator may be able to escalate their privilege to that of the host.
Technical details
To avoid using shadow pagetables for PV guests, Xen exposes the actual hardware pagetables to the guest. In order to prevent the guest from modifying these page tables directly, Xen keeps track of how pages are used using a type system; pages must be “promoted” before being used as a pagetable, and “demoted” before being used for any other type. Xen also allows for “recursive” promotions: i.e., an operating system promoting a page to an L4 pagetable may end up causing pages to be promoted to L3s, which may in turn cause pages to be promoted to L2s, and so on. These operations may take an arbitrarily large amount of time, and so must be re-startable.
Unfortunately, making recursive pagetable promotion and demotion operations restartable is incredibly complicated, and the code contains several races which, if triggered, can cause Xen to drop or retain extra type counts, potentially allowing guests to get write access to in-use pagetables.
Credits
George Dunlap (Citrix)
Reference(s)
oss-security – Xen Security Advisory 299 v4 (CVE-2019-18421) – Issues with
restartable PV type change operations
https://www.openwall.com/lists/oss-security/2019/10/31/3
XSA-299 – Xen Security Advisories
https://xenbits.xen.org/xsa/advisory-299.html
[PATCH 01/12] x86/mm: Clean up trailing whitespace
https://xenbits.xen.org/xsa/xsa299-4.8/0001-x86-mm-Clean-up-trailing-whitespace.patch
[PATCH 02/12] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.8/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
[PATCH 03/12] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.8/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
[PATCH 04/12] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.8/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
[PATCH 05/12] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.8/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
[PATCH 06/12] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.8/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
[PATCH 07/12] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.8/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
[PATCH 08/12] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.8/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch
[PATCH 09/12] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.8/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
[PATCH 10/12] x86/mm: Properly handle linear pagetable promotion
failures
https://xenbits.xen.org/xsa/xsa299-4.8/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
[PATCH 11/12] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.8/0011-x86-mm-Fix-nested-de-validation-on-error.patch
[PATCH 12/12] x86/mm: Don’t drop a type ref unless you held a ref to
begin with
https://xenbits.xen.org/xsa/xsa299-4.8/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
[PATCH 01/12] x86/mm: Clean up trailing whitespace
https://xenbits.xen.org/xsa/xsa299-4.9/0001-x86-mm-Clean-up-trailing-whitespace.patch
[PATCH 02/12] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.9/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
[PATCH 03/12] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.9/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
[PATCH 04/12] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.9/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
[PATCH 05/12] x86/mm: Use flags for _put_page_type rather than a
boolean
https://xenbits.xen.org/xsa/xsa299-4.9/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
[PATCH 06/12] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.9/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
[PATCH 07/12] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.9/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
[PATCH 08/12] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.9/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch
[PATCH 09/12] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.9/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
[PATCH 10/12] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.9/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
[PATCH 11/12] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.9/0011-x86-mm-Fix-nested-de-validation-on-error.patch
[PATCH 12/12] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.9/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.10/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.10/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.10/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.10/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.10/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.10/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.10/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.10/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.10/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.10/0010-x86-mm-Fix-nested-de-validation-on-error.patch
[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.10/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.11/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.11/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.11/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.11/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.11/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.11/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.11/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.11/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.11/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.11/0010-x86-mm-Fix-nested-de-validation-on-error.patch
[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.11/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.12/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.12/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.12/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.12/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.12/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when
preempting
https://xenbits.xen.org/xsa/xsa299-4.12/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.12/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.12/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.12/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.12/0010-x86-mm-Fix-nested-de-validation-on-error.patch
[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.12/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a
boolean
https://xenbits.xen.org/xsa/xsa299/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299/0010-x86-mm-Fix-nested-de-validation-on-error.patch
[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
CVE-2019-18421
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421
CVE-2019-18421
https://nvd.nist.gov/vuln/detail/CVE-2019-18421
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 5, 2019