Allele Security Alert
ASA-2019-00625
Identifier(s)
ASA-2019-00625, CVE-2019-18422, XSA-303
Title
Interrupts are unconditionally unmasked in exception handlers
Vendor(s)
The Xen Project
Product(s)
Xen
Affected version(s)
All Xen versions running on ARM systems
Fixed version(s)
Xen 4.8 with the following patches applied:
[PATCH 1/5] Revert “xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros”
https://xenbits.xen.org/xsa/xsa303-4.8/0001-Revert-xen-arm32-entry-Consolidate-DEFINE_TRAP_ENTRY.patch
[PATCH 2/5] xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY*() macros
https://xenbits.xen.org/xsa/xsa303-4.8/0002-xen-arm32-entry-Consolidate-DEFINE_TRAP_ENTRY-macros.patch
[PATCH 3/5] xen/arm32: entry: Fold the macro SAVE_ALL in the macro vector
https://xenbits.xen.org/xsa/xsa303-4.8/0003-xen-arm32-entry-Fold-the-macro-SAVE_ALL-in-the-macro.patch
[PATCH 4/5] xen/arm32: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303-4.8/0004-xen-arm32-Don-t-blindly-unmask-interrupts-on-trap-wi.patch
[PATCH 5/5] xen/arm64: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303-4.8/0005-xen-arm64-Don-t-blindly-unmask-interrupts-on-trap-wi.patch
Xen unstable – 4.9 with the following patches applied:
[PATCH 1/4] xen/arm32: entry: Split __DEFINE_ENTRY_TRAP in two
https://xenbits.xen.org/xsa/xsa303/0001-xen-arm32-entry-Split-__DEFINE_ENTRY_TRAP-in-two.patch
[PATCH 2/4] xen/arm32: entry: Fold the macro SAVE_ALL in the macro
vector
https://xenbits.xen.org/xsa/xsa303/0002-xen-arm32-entry-Fold-the-macro-SAVE_ALL-in-the-macro.patch
[PATCH 3/4] xen/arm32: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303/0003-xen-arm32-Don-t-blindly-unmask-interrupts-on-trap-wi.patch
[PATCH 4/4] xen/arm64: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303/0004-xen-arm64-Don-t-blindly-unmask-interrupts-on-trap-wi.patch
Proof of concept
Unknown
Description
A malicious guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. This could lead to data corruption, denial of service, or possibly even privilege escalation.
Technical details
When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts.
Credits
Julian Grall (Arm)
Reference(s)
XSA-303 – Xen Security Advisories
https://xenbits.xen.org/xsa/advisory-303.html
oss-security – Xen Security Advisory 303 v4 (CVE-2019-18422) – ARM: Interrupts
are unconditionally unmasked in exception handlers
https://www.openwall.com/lists/oss-security/2019/10/31/5
xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros
https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=6082e3ba8941b3d10c3cb73f445759c19e89afc9
[PATCH 1/5] Revert “xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros”
https://xenbits.xen.org/xsa/xsa303-4.8/0001-Revert-xen-arm32-entry-Consolidate-DEFINE_TRAP_ENTRY.patch
[PATCH 2/5] xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY*() macros
https://xenbits.xen.org/xsa/xsa303-4.8/0002-xen-arm32-entry-Consolidate-DEFINE_TRAP_ENTRY-macros.patch
[PATCH 3/5] xen/arm32: entry: Fold the macro SAVE_ALL in the macro vector
https://xenbits.xen.org/xsa/xsa303-4.8/0003-xen-arm32-entry-Fold-the-macro-SAVE_ALL-in-the-macro.patch
[PATCH 4/5] xen/arm32: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303-4.8/0004-xen-arm32-Don-t-blindly-unmask-interrupts-on-trap-wi.patch
[PATCH 5/5] xen/arm64: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303-4.8/0005-xen-arm64-Don-t-blindly-unmask-interrupts-on-trap-wi.patch
[PATCH 1/4] xen/arm32: entry: Split __DEFINE_ENTRY_TRAP in two
https://xenbits.xen.org/xsa/xsa303/0001-xen-arm32-entry-Split-__DEFINE_ENTRY_TRAP-in-two.patch
[PATCH 2/4] xen/arm32: entry: Fold the macro SAVE_ALL in the macro
vector
https://xenbits.xen.org/xsa/xsa303/0002-xen-arm32-entry-Fold-the-macro-SAVE_ALL-in-the-macro.patch
[PATCH 3/4] xen/arm32: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303/0003-xen-arm32-Don-t-blindly-unmask-interrupts-on-trap-wi.patch
[PATCH 4/4] xen/arm64: Don’t blindly unmask interrupts on trap without a change of level
https://xenbits.xen.org/xsa/xsa303/0004-xen-arm64-Don-t-blindly-unmask-interrupts-on-trap-wi.patch
CVE-2019-18422
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422
CVE-2019-18422
https://nvd.nist.gov/vuln/detail/CVE-2019-18422
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 12, 2019