We have just published Qubes Security Bulletin (QSB) 074: Xen issues related to populate-on-demand (XSA-388, XSA-389). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).

View QSB-074 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-074-2021.txt

In addition, you may wish to:


             ---===[ Qubes Security Bulletin 074 ]===---

                             2021-11-23

     Xen issues related to populate-on-demand (XSA-388, XSA-389)


User action required
---------------------

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0, in dom0:
  - Xen packages, version 4.8.5-36

  For Qubes 4.1, in dom0:
  - Xen packages, version 4.14.3-4

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


Summary
--------

The following security advisories were published on 2021-11-23:

XSA-388 [3] "PoD operations on misaligned GFNs":

| x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode,
| to provide a way for them to later easily have more memory assigned.
| 
| Guests are permitted to control certain P2M aspects of individual
| pages via hypercalls.  These hypercalls may act on ranges of pages
| specified via page orders (resulting in a power-of-2 number of pages).
| The implementation of some of these hypercalls for PoD does not
| enforce the base page frame number to be suitably aligned for the
| specified order, yet some code involved in PoD handling actually makes
| such an assumption.
| 
| These operations are XENMEM_decrease_reservation (CVE-2021-28704) and
| XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by
| domains controlling the guest, i.e. a de-privileged qemu or a stub
| domain.  (Patch 1, combining the fix to both these two issues.)
| 
| In addition handling of XENMEM_decrease_reservation can also trigger a
| host crash when the specified page order is neither 4k nor 2M nor 1G
| (CVE-2021-28708, patch 2).

XSA-389 [4] "issues with partially successful P2M updates on x86":

| x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode,
| to provide a way for them to later easily have more memory assigned.
| 
| Guests are permitted to control certain P2M aspects of individual
| pages via hypercalls.  These hypercalls may act on ranges of pages
| specified via page orders (resulting in a power-of-2 number of pages).
| In some cases the hypervisor carries out the requests by splitting
| them into smaller chunks.  Error handling in certain PoD cases has
| been insufficient in that in particular partial success of some
| operations was not properly accounted for.
| 
| There are two code paths affected - page removal (CVE-2021-28705) and
| insertion of new pages (CVE-2021-28709).  (We provide one patch which
| combines the fix to both issues.)


Impact
-------

Malicious or buggy guest kernels may be able to mount Denial of Service
(DoS) attacks affecting the entire system. Privilege escalation and
information leaks cannot be ruled out.

These issues affect only qubes that have dynamic memory balancing
enabled. In the default Qubes OS configuration, this excludes sys-net
and sys-usb, which have memory assigned statically. All other
Linux-based qubes are affected.


Credits
--------

See the original Xen Security Advisories.


References
-----------

[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-388.html
[4] https://xenbits.xen.org/xsa/advisory-389.html

--
The Qubes Security Team
https://www.qubes-os.org/security/