Xen through 4.11.x Improper Input Validation Vulnerability

Summary

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because of an incompatibility between Process Context Identifiers (PCID) and TLB flushes.

Credit:

The information has been provided by Sergey Dyasli

The original article can be found at:https://xenbits.xen.org/xsa/advisory-292.html


Details

Use of Process Context Identifiers (PCID) was introduced into Xen in order to improve performance after XSA-254 (and in particular its Meltdown sub-issue).  This enablement implied changes to the TLB flushing logic.  The particular case of context switch to a vCPU of a PCID-enabled guest left open a time window between the full TLB flush, and the actual address space switch, during which additional TLB entries (from the address space about to be switched away from) can be accumulated, which will not subsequently be purged.

Vulnerable Systems:

Xen through 4.11.x 

CVE Information:

CVE-2019-17346

Disclosure Timeline:
Published Date:10/07/2019