ASA-2019-00625 – Xen: Interrupts are unconditionally unmasked in exception handlers


Allele Security Alert

ASA-2019-00625

Identifier(s)

ASA-2019-00625, CVE-2019-18422, XSA-303

Title

Interrupts are unconditionally unmasked in exception handlers

Vendor(s)

The Xen Project

Product(s)

Xen

Affected version(s)

All Xen versions running on ARM systems

Fixed version(s)

Xen 4.8 with the following patches applied:

[PATCH 1/5] Revert “xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros”
https://xenbits.xen.org/xsa/xsa303-4.8/0001-Revert-xen-arm32-entry-Consolidate-DEFINE_TRAP_ENTRY.patch

[PATCH 2/5] xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY*() macros
https://xenbits.xen.org/xsa/xsa303-4.8/0002-xen-arm32-entry-Consolidate-DEFINE_TRAP_ENTRY-macros.patch

[PATCH 3/5] xen/arm32: entry: Fold the macro SAVE_ALL in the macro vector
https://xenbits.xen.org/xsa/xsa303-4.8/0003-xen-arm32-entry-Fold-the-macro-SAVE_ALL-in-the-macro.patch

[PATCH 4/5] xen/arm32: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303-4.8/0004-xen-arm32-Don-t-blindly-unmask-interrupts-on-trap-wi.patch

[PATCH 5/5] xen/arm64: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303-4.8/0005-xen-arm64-Don-t-blindly-unmask-interrupts-on-trap-wi.patch

Xen unstable – 4.9 with the following patches applied:

[PATCH 1/4] xen/arm32: entry: Split __DEFINE_ENTRY_TRAP in two
https://xenbits.xen.org/xsa/xsa303/0001-xen-arm32-entry-Split-__DEFINE_ENTRY_TRAP-in-two.patch

[PATCH 2/4] xen/arm32: entry: Fold the macro SAVE_ALL in the macro
vector
https://xenbits.xen.org/xsa/xsa303/0002-xen-arm32-entry-Fold-the-macro-SAVE_ALL-in-the-macro.patch

[PATCH 3/4] xen/arm32: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303/0003-xen-arm32-Don-t-blindly-unmask-interrupts-on-trap-wi.patch

[PATCH 4/4] xen/arm64: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303/0004-xen-arm64-Don-t-blindly-unmask-interrupts-on-trap-wi.patch

Proof of concept

Unknown

Description

A malicious guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. This could lead to data corruption, denial of service, or possibly even privilege escalation.

Technical details

When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts.

Credits

Julian Grall (Arm)

Reference(s)

XSA-303 – Xen Security Advisories
https://xenbits.xen.org/xsa/advisory-303.html

oss-security – Xen Security Advisory 303 v4 (CVE-2019-18422) – ARM: Interrupts
are unconditionally unmasked in exception handlers
https://www.openwall.com/lists/oss-security/2019/10/31/5

xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros
https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=6082e3ba8941b3d10c3cb73f445759c19e89afc9

[PATCH 1/5] Revert “xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros”
https://xenbits.xen.org/xsa/xsa303-4.8/0001-Revert-xen-arm32-entry-Consolidate-DEFINE_TRAP_ENTRY.patch

[PATCH 2/5] xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY*() macros
https://xenbits.xen.org/xsa/xsa303-4.8/0002-xen-arm32-entry-Consolidate-DEFINE_TRAP_ENTRY-macros.patch

[PATCH 3/5] xen/arm32: entry: Fold the macro SAVE_ALL in the macro vector
https://xenbits.xen.org/xsa/xsa303-4.8/0003-xen-arm32-entry-Fold-the-macro-SAVE_ALL-in-the-macro.patch

[PATCH 4/5] xen/arm32: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303-4.8/0004-xen-arm32-Don-t-blindly-unmask-interrupts-on-trap-wi.patch

[PATCH 5/5] xen/arm64: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303-4.8/0005-xen-arm64-Don-t-blindly-unmask-interrupts-on-trap-wi.patch

[PATCH 1/4] xen/arm32: entry: Split __DEFINE_ENTRY_TRAP in two
https://xenbits.xen.org/xsa/xsa303/0001-xen-arm32-entry-Split-__DEFINE_ENTRY_TRAP-in-two.patch

[PATCH 2/4] xen/arm32: entry: Fold the macro SAVE_ALL in the macro
vector
https://xenbits.xen.org/xsa/xsa303/0002-xen-arm32-entry-Fold-the-macro-SAVE_ALL-in-the-macro.patch

[PATCH 3/4] xen/arm32: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303/0003-xen-arm32-Don-t-blindly-unmask-interrupts-on-trap-wi.patch

[PATCH 4/4] xen/arm64: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303/0004-xen-arm64-Don-t-blindly-unmask-interrupts-on-trap-wi.patch

CVE-2019-18422
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422

CVE-2019-18422
https://nvd.nist.gov/vuln/detail/CVE-2019-18422

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.