ASA-2019-00624 – Xen: Problemas com operações reinicializáveis de alteração do tipo PV


For the English version of this alert, click here.

Allele Security Alert

ASA-2019-00624

Identificador(es)

ASA-2019-00624, CVE-2019-18421, XSA-299

Título

Problemas com operações reinicializáveis de alteração do tipo PV

Fabricante(s)

The Xen Project

Produto(s)

Xen

Versão(ões) afetada(s)

Todas as versões do Xen com suporte de segurança

Versão(ões) corrigida(s)

Xen 4.8 com os seguintes patches:

[PATCH 01/12] x86/mm: Clean up trailing whitespace
https://xenbits.xen.org/xsa/xsa299-4.8/0001-x86-mm-Clean-up-trailing-whitespace.patch

[PATCH 02/12] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.8/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch

[PATCH 03/12] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.8/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch

[PATCH 04/12] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.8/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch

[PATCH 05/12] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.8/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch

[PATCH 06/12] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.8/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch

[PATCH 07/12] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.8/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch

[PATCH 08/12] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.8/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch

[PATCH 09/12] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.8/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch

[PATCH 10/12] x86/mm: Properly handle linear pagetable promotion
failures
https://xenbits.xen.org/xsa/xsa299-4.8/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch

[PATCH 11/12] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.8/0011-x86-mm-Fix-nested-de-validation-on-error.patch

[PATCH 12/12] x86/mm: Don’t drop a type ref unless you held a ref to
begin with
https://xenbits.xen.org/xsa/xsa299-4.8/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch

Xen 4.9 com os seguintes patches:

[PATCH 01/12] x86/mm: Clean up trailing whitespace
https://xenbits.xen.org/xsa/xsa299-4.9/0001-x86-mm-Clean-up-trailing-whitespace.patch

[PATCH 02/12] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.9/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch

[PATCH 03/12] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.9/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch

[PATCH 04/12] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.9/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch

[PATCH 05/12] x86/mm: Use flags for _put_page_type rather than a
boolean
https://xenbits.xen.org/xsa/xsa299-4.9/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch

[PATCH 06/12] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.9/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch

[PATCH 07/12] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.9/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch

[PATCH 08/12] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.9/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch

[PATCH 09/12] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.9/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch

[PATCH 10/12] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.9/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch

[PATCH 11/12] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.9/0011-x86-mm-Fix-nested-de-validation-on-error.patch

[PATCH 12/12] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.9/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch

Xen 4.10 com os seguintes patches:

[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.10/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch

[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.10/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch

[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.10/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch

[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.10/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch

[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.10/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch

[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.10/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch

[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.10/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch

[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.10/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch

[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.10/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch

[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.10/0010-x86-mm-Fix-nested-de-validation-on-error.patch

[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.10/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch

Xen 4.11 com os seguintes patches:

[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.11/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch

[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.11/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch

[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.11/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch

[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.11/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch

[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.11/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch

[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.11/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch

[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.11/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch

[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.11/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch

[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.11/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch

[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.11/0010-x86-mm-Fix-nested-de-validation-on-error.patch

[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.11/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch

Xen 4.12 com os seguintes patches:

[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.12/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch

[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.12/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch

[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.12/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch

[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.12/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch

[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.12/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch

[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when
preempting
https://xenbits.xen.org/xsa/xsa299-4.12/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch

[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.12/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch

[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.12/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch

[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.12/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch

[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.12/0010-x86-mm-Fix-nested-de-validation-on-error.patch

[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.12/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch

Xen -unstable contendo os seguintes patches:

[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch

[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch

[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch

[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a
boolean
https://xenbits.xen.org/xsa/xsa299/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch

[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch

[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch

[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch

[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch

[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch

[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299/0010-x86-mm-Fix-nested-de-validation-on-error.patch

[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch

Prova de conceito

Desconhecido

Descrição

Um administrador convidado PV mal-intencionado poderá escalar seus privilégios para os do host.

Detalhes técnicos

Para evitar o uso de shadow page tables para convidados de PV, o Xen expõe as tabelas de paginação de hardware reais ao convidado. Para impedir que o convidado modifique essas tabelas de páginas diretamente, o Xen controla como as páginas são usadas usando um sistema de tipos; as páginas devem ser “promovidas” antes de serem usadas como uma paginação e “rebaixadas” antes de serem usadas para qualquer outro tipo. O Xen também permite promoções “recursivas”: ou seja, um sistema operacional que promove uma página para uma paginação L4 pode acabar fazendo com que as páginas sejam promovidas para L3s, o que por sua vez pode fazer com que as páginas sejam promovidas para L2s e assim por diante. Essas operações podem levar um período arbitrariamente grande e, portanto, devem ser reiniciadas.

Infelizmente, a reinicialização das operações recursivas de promoção e rebaixamento de paginação é incrivelmente complicada, e o código contém vários race conditions que, se acionadas, podem fazer com que o Xen reduza ou retenha contagens de tipos extras, permitindo que os clientes tenham acesso de gravação a tabelas de paginação em uso.

Créditos

George Dunlap (Citrix)

Referência(s)

oss-security – Xen Security Advisory 299 v4 (CVE-2019-18421) – Issues with
restartable PV type change operations
https://www.openwall.com/lists/oss-security/2019/10/31/3

XSA-299 – Xen Security Advisories
https://xenbits.xen.org/xsa/advisory-299.html

[PATCH 01/12] x86/mm: Clean up trailing whitespace
https://xenbits.xen.org/xsa/xsa299-4.8/0001-x86-mm-Clean-up-trailing-whitespace.patch

[PATCH 02/12] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.8/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch

[PATCH 03/12] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.8/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch

[PATCH 04/12] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.8/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch

[PATCH 05/12] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.8/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch

[PATCH 06/12] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.8/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch

[PATCH 07/12] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.8/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch

[PATCH 08/12] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.8/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch

[PATCH 09/12] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.8/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch

[PATCH 10/12] x86/mm: Properly handle linear pagetable promotion
failures
https://xenbits.xen.org/xsa/xsa299-4.8/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch

[PATCH 11/12] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.8/0011-x86-mm-Fix-nested-de-validation-on-error.patch

[PATCH 12/12] x86/mm: Don’t drop a type ref unless you held a ref to
begin with
https://xenbits.xen.org/xsa/xsa299-4.8/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch

[PATCH 01/12] x86/mm: Clean up trailing whitespace
https://xenbits.xen.org/xsa/xsa299-4.9/0001-x86-mm-Clean-up-trailing-whitespace.patch

[PATCH 02/12] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.9/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch

[PATCH 03/12] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.9/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch

[PATCH 04/12] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.9/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch

[PATCH 05/12] x86/mm: Use flags for _put_page_type rather than a
boolean
https://xenbits.xen.org/xsa/xsa299-4.9/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch

[PATCH 06/12] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.9/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch

[PATCH 07/12] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.9/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch

[PATCH 08/12] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.9/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch

[PATCH 09/12] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.9/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch

[PATCH 10/12] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.9/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch

[PATCH 11/12] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.9/0011-x86-mm-Fix-nested-de-validation-on-error.patch

[PATCH 12/12] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.9/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch

[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.10/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch

[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.10/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch

[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.10/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch

[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.10/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch

[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.10/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch

[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.10/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch

[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.10/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch

[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.10/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch

[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.10/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch

[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.10/0010-x86-mm-Fix-nested-de-validation-on-error.patch

[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.10/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch

[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.11/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch

[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.11/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch

[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.11/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch

[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.11/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch

[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.11/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch

[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299-4.11/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch

[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.11/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch

[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.11/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch

[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.11/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch

[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.11/0010-x86-mm-Fix-nested-de-validation-on-error.patch

[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.11/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch

[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299-4.12/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch

[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299-4.12/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch

[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299-4.12/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch

[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a boolean
https://xenbits.xen.org/xsa/xsa299-4.12/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch

[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299-4.12/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch

[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when
preempting
https://xenbits.xen.org/xsa/xsa299-4.12/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch

[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299-4.12/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch

[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299-4.12/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch

[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299-4.12/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch

[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299-4.12/0010-x86-mm-Fix-nested-de-validation-on-error.patch

[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299-4.12/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch

[PATCH 01/11] x86/mm: L1TF checks don’t leave a partial entry
https://xenbits.xen.org/xsa/xsa299/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch

[PATCH 02/11] x86/mm: Don’t re-set PGT_pinned on a partially de-validated page
https://xenbits.xen.org/xsa/xsa299/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch

[PATCH 03/11] x86/mm: Separate out partial_pte tristate into individual flags
https://xenbits.xen.org/xsa/xsa299/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch

[PATCH 04/11] x86/mm: Use flags for _put_page_type rather than a
boolean
https://xenbits.xen.org/xsa/xsa299/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch

[PATCH 05/11] x86/mm: Rework get_page_and_type_from_mfn conditional
https://xenbits.xen.org/xsa/xsa299/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch

[PATCH 06/11] x86/mm: Have alloc_l[23]_table clear partial_flags when preempting
https://xenbits.xen.org/xsa/xsa299/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch

[PATCH 07/11] x86/mm: Always retain a general ref on partial
https://xenbits.xen.org/xsa/xsa299/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch

[PATCH 08/11] x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one
https://xenbits.xen.org/xsa/xsa299/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch

[PATCH 09/11] x86/mm: Properly handle linear pagetable promotion failures
https://xenbits.xen.org/xsa/xsa299/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch

[PATCH 10/11] x86/mm: Fix nested de-validation on error
https://xenbits.xen.org/xsa/xsa299/0010-x86-mm-Fix-nested-de-validation-on-error.patch

[PATCH 11/11] x86/mm: Don’t drop a type ref unless you held a ref to begin with
https://xenbits.xen.org/xsa/xsa299/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch

CVE-2019-18421
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421

CVE-2019-18421
https://nvd.nist.gov/vuln/detail/CVE-2019-18421

Se encontrou algum erro neste alerta ou deseja uma análise compreensiva, entre em contato.

Última modificação: 12 novembro 2019

Não somos responsáveis por qualquer perda de dados, corrupção de dispositivos ou qualquer outro tipo de problema devido ao uso de qualquer informação mencionada em nossos alertas de segurança.