Xen Security Advisory XSA-154
x86: inconsistent cachability flags on guest mappings
*** EMBARGOED UNTIL 2016-02-17 12:00 UTC ***
Multiple mappings of the same physical page with different cachability
setting can cause problems. While one category (risk of using stale
data) affects only guests themselves (and hence avoiding this can be
left for them to control), the other category being Machine Check
exceptions can be fatal to entire hosts. According to the information
we were able to gather, only mappings of MMIO pages may surface this
second category, but even for them there were cases where the
hypervisor did not properly enforce consistent cachability.
A malicious guest administrator might be able to cause a reboot,
denying service to the entire host.
All Xen versions are affected.
Only x86 guests given control over some physical device can trigger
x86 systems are vulnerable. ARM systems are not vulnerable.
The vulnerability depends on the system response to mapping the same
memory with different cacheability. On some systems this is harmless;
on others, depending on CPU and chipset, it may be fatal.
Not handing physical devices to guests will also avoid this issue.
Applying the attached patch resolves this issue to the best of our
knowledge. However, no formal description of CPU behavior in the cases
of interest was provided to us by Intel, and no response at all was
received from AMD to a respective inquiry.
However, unfortunately, we are aware of a potential performance
regression with this patch on some systems. This patch might cause
the performance regression even if no hardware passthrough is
This depends on the peripherals present in the system, and the
behaviour of the drivers used for those peripherals.
A resolution without this potential performance regression is not
xsa154.patch xen-unstable, Xen 4.6.x
$ sha256sum xsa154*
DEPLOYMENT DURING EMBARGO
Deployment of the patch described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.
However deployment of the mitigations described above is NOT permitted
(except where all the affected systems and VMs are administered and
used only by organisations which are members of the Xen Project
Security Issues Predisclosure List). Specifically, deployment on
public cloud systems is NOT permitted.
This is because the configuration change would be visible to the guest,
which could lead to the rediscovery of the vulnerability.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
*** This bug has been marked as a duplicate of bug 574012 ***