144 lines
5.3 KiB
Text
144 lines
5.3 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-EN-18:07.pmap Errata Notice
|
|
The FreeBSD Project
|
|
|
|
Topic: Incorrect TLB shootdown for Xen based guests
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2018-06-21
|
|
Credits: Colin Percival
|
|
Affects: FreeBSD 11.1
|
|
Corrected: 2018-05-22 14:36:46 UTC (stable/11, 11.2-BETA2)
|
|
2018-06-21 05:18:08 UTC (releng/11.1, 11.1-RELEASE-p11)
|
|
|
|
For general information regarding FreeBSD Errata Notices and Security
|
|
Advisories, including descriptions of the fields above, security
|
|
branches, and the following sections, please visit
|
|
<URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
CPUs rely on a Translation Lookaside Buffer (TLB) to cache virtual memory
|
|
paging information. When a page is unmapped from the virtual address space
|
|
of a process on a multiprocessor system, an Inter-Processor Interrupt (IPI)
|
|
may be sent to instruct other CPUs to invalidate ("shoot down") their TLB
|
|
entries for the addresses in question.
|
|
|
|
For virtualization-related performance reasons, FreeBSD has IPI code for the
|
|
Xen platform which is separate from the generic x86 IPI code.
|
|
|
|
II. Problem Description
|
|
|
|
In the course of changes to the FreeBSD virtual memory system to address
|
|
FreeBSD-SA-18:03.speculative_execution, changes were made to the IPIs used
|
|
for shooting down TLB entries. Unfortunately, the IPI handlers for Xen were
|
|
left non-PTI, even when PTI was enabled, which result in TLB shootdowns for
|
|
the user mode portion of the address space not being consistently performed
|
|
correctly.
|
|
|
|
III. Impact
|
|
|
|
Processes on Xen based guests may "see" pages of memory which were previously
|
|
mapped but have since been unmapped, resulted in data being corrupted and/or
|
|
processes crashing due to internal data structures becoming inconsistent.
|
|
|
|
IV. Workaround
|
|
|
|
Only Xen based guests are affected by this issue. All other platforms are
|
|
not susceptible.
|
|
|
|
For Xen based guests, disabling PTI will workaround the issue. Add the
|
|
following line to /boot/loader.conf:
|
|
vm.pmap.pti=0
|
|
|
|
Please be aware, by disabling PTI, the system will be vulnerable to
|
|
FreeBSD-SA-18:03.speculative_execution.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your system to a supported FreeBSD stable or release / security
|
|
branch (releng) dated after the correction date.
|
|
|
|
Afterward, reboot the system.
|
|
|
|
2) To update your system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterward, reboot the system.
|
|
|
|
3) To update your system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 11.1]
|
|
# fetch https://security.FreeBSD.org/patches/EN-18:07/pmap.patch
|
|
# fetch https://security.FreeBSD.org/patches/EN-18:07/pmap.patch.asc
|
|
# gpg --verify pmap.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/11/ r334047
|
|
releng/11.1/ r335466
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
The latest revision of this notice is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:07.pmap.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlsrN3hfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cIOow/+P+zdQ8dmZcEIy7HjYdpTAbPIGNnSdvuXV5O5XGamOziTJOuEEDBxeNiE
|
|
QE9VM8a94Ybl0CJZhfBVPhqrDpYuXOqKvnfHlcXWjppDliUPWohF6kTj4ugqGKrl
|
|
T2VckEvjltgJQ1/XqnkE7n1LuezLcqF/RbW3xOeRkAhf3X+IXd/E3uCuw/n4yknl
|
|
O5EvLmjq3bGlN7OfHOM4E+PHvYOxxfbjYH5S+1Z9g0/apR6HOUi9WU0hV5YEB9Cz
|
|
hUCsnx15Nla97jD9P1xy0tr3FkPpvZRJGj2BelNaQoFNrZB7oWB9xwOmwSqxye/b
|
|
zvp+/WUuGlo1KWU8RldzVPP6A7piuL6oAvYqW8/wcpwd9HqNGXblWz1XodpE3x1F
|
|
TKHTGcP/e/wgU6810SolylwJKxhGVZaQK3UH1iVKPRRTw+HUR1OVDY+q7XAyFD7c
|
|
QbKRyWQIYr2X98LhiT8TMVssharFg7AcviRSDEdCYt+A6S9jiDWMe+C3hGndSSET
|
|
Cf/0q6PQ89GQKw3lQOgwvtWlMaKPwfg3W8lxkusK5o935aXWhbRee3Hzkld7eUl0
|
|
8/uGBCgDnSk7hPIHLDcddIKI+QT0IpHKCPlBRRoTJUhpXo/g5bVkbUnMKBZ7zf3O
|
|
mBvci+KPc2yqp///fw1eMhgRTOOOOnXAHUMsb/FH1b+yIcikudo=
|
|
=fw9I
|
|
-----END PGP SIGNATURE-----
|