1.. _asa:
2
3Security Advisory
4#################
5
6Addressed in ACRN v3.0.2
7************************
8We recommend that all developers using v3.0.1 or earlier upgrade to this v3.0.2
9release (or later), which addresses the following security issue discovered in
10previous releases. For v3.1 users, these issues are addressed in the v3.2
11release:
12
13-----
14
15- Board_inspector: use executables found under system paths
16    Using partial executable paths in the board inspector may cause unintended
17    results when another executable has the same name and is also detectable in
18    the search paths.
19
20    Introduce a wrapper module (`external_tools`) which locates executables
21    only under system paths such as /usr/bin and /usr/sbin and converts partial
22    executable paths to absolute ones before executing them via the subprocess
23    module. All invocations to `subprocess.run` or `subprocess.Popen`
24    throughout the board inspector are replaced with `external_tools.run`, with
25    the only exception being the invocation to the legacy board parser which
26    already uses an absolute path to the current Python interpreter.
27
28    **Affected Release:** v3.1, v3.0.1 and earlier
29
30- Add tarfile member sanitization to extractall()
31    A directory traversal vulnerability in the Python tarfile module extractall() functions
32    could allow user-assisted remote attackers to overwrite arbitrary files via
33    a ``..`` (dot dot) sequence in filenames in a tar archive, related to CVE-2001-1267.
34    (Addresses security issue tracked by CVE-2007-4559)
35
36    **Affected Release:** v3.1, v3.0.1 and earlier
37
38- PMU (Performance Monitoring Unit) is passed through to an RTVM only for debug mode
39    Enabling Pass-through PMU counters to RTVM can cause workload interference
40    in a release build, so enable PMU passthrough only when building ACRN in
41    debug mode.
42
43    **Affected Release:** v3.1, v3.0.1 and earlier
44
45Addressed in ACRN v3.0.1
46************************
47We recommend that all developers upgrade to this v3.0.1 release (or later), which
48addresses the following security issue discovered in previous releases:
49
50-----
51
52-  Disable RRSBA on platforms using retpoline
53    For platforms that supports RRSBA (Restricted Return Stack Buffer
54    Alternate), using retpoline may not be sufficient to guard against branch
55    history injection or intra-mode branch target injection. RRSBA must
56    be disabled to prevent CPUs from using alternate predictors for RETs.
57    (Addresses security issue tracked by CVE-2022-29901 and CVE-2022-28693.)
58
59    **Affected Release:** v3.0 and earlier
60
61Addressed in ACRN v2.7
62************************
63We recommend that all developers upgrade to this v2.7 release (or later), which
64addresses the following security issue discovered in previous releases:
65
66-----
67
68-  Heap-use-after-free happens in ``MEVENT mevent_handle``
69    The file descriptor of ``mevent`` could be closed in another thread while being
70    monitored by ``epoll_wait``. This causes a heap-use-after-free error in
71    the ``mevent_handle()`` function.
72
73    **Affected Release:** v2.6 and earlier
74
75Addressed in ACRN v2.6
76************************
77
78We recommend that all developers upgrade to this v2.6 release (or later), which
79addresses the following security issue discovered in previous releases:
80
81-----
82
83-  Memory leakage vulnerability in ``devicemodel/hw/pci/xhci.c``
84    De-initializing of emulated USB devices results in a memory leakage issue
85    as some resources allocated for transfer are not properly released.
86
87    **Affected Release:** v2.5 and earlier.
88
89
90Addressed in ACRN v2.5
91************************
92
93We recommend that all developers upgrade to this v2.5 release (or later), which
94addresses the following security issues that were discovered in previous releases:
95
96-----
97
98-  NULL Pointer Dereference in ``devicemodel/hw/pci/virtio/virtio_net.c``
99    ``virtio_net_ping_rxq()`` function tries to set ``vq->used->flags`` without
100    validating pointer ``vq->used``, which may be NULL and cause a NULL pointer dereference.
101
102    **Affected Release:** v2.4 and earlier.
103
104-  NULL Pointer Dereference in ``hw/pci/virtio/virtio.c``
105    ``vq_endchains`` function tries to read ``vq->used->idx`` without
106    validating pointer ``vq->used``, which may be NULL and cause a NULL pointer dereference.
107
108    **Affected Release:** v2.4 and earlier.
109
110-  NULL Pointer Dereference in ``devicemodel/hw/pci/xhci.c``
111    The ``trb`` pointer in ``pci_xhci_complete_commands`` function may be from user space and may be NULL.
112    Accessing it without validating may cause a NULL pointer dereference.
113
114    **Affected Release:** v2.4 and earlier.
115
116-  Buffer overflow in ``hypervisor/arch/x86/vtd.c``
117    Malicious input ``index`` for function ``dmar_free_irte`` may trigger buffer
118    overflow on array ``irte_alloc_bitmap[]``.
119
120    **Affected Release:** v2.4 and earlier.
121
122-  Page Fault in ``devicemodel/core/mem.c``
123    ``unregister_mem_int()`` function frees any entry when it is valid, which is not expected.
124    (only entries to be removed from RB tree can be freed). This will cause a page fault
125    when next RB tree iteration happens.
126
127    **Affected Release:** v2.4 and earlier
128
129-  Heap-use-after-free happens in VIRTIO timer_handler
130    With virtio polling mode enabled, a timer is running in the virtio
131    backend service. The timer will also be triggered if its frontend
132    driver didn't do the device reset on shutdown. A freed virtio device
133    could be accessed in the polling timer handler.
134
135    **Affected Release:** v2.4 and earlier
136
137Addressed in ACRN v2.3
138************************
139
140We recommend that all developers upgrade to this v2.3 release (or later), which
141addresses the following security issue that was discovered in previous releases:
142
143-----
144
145- NULL Pointer Dereference in ``devicemodel\hw\pci\virtio\virtio_mei.c``
146   ``vmei_proc_tx()`` function tries to find the ``iov_base`` by calling
147   function ``paddr_guest2host()``, which may return NULL (the ``vd``
148   struct control by the User VM OS).  There is a use of ``iov_base``
149   afterward that can cause a NULL pointer dereference (CVE-2020-28346).
150
151   **Affected Release:** v2.2 and earlier.
152
153Addressed in ACRN v2.1
154************************
155
156We recommend that all developers upgrade to this v2.1 release (or later), which
157addresses the following security issue that was discovered in previous releases:
158
159-----
160
161- Missing access control restrictions in the Hypervisor component
162   A malicious entity with root access in the Service VM
163   userspace could abuse the PCIe assign/de-assign Hypercalls via crafted
164   ioctls and payloads.  This attack can result in a corrupt state and Denial
165   of Service (DoS) for previously assigned PCIe devices to the Service VM
166   at runtime.
167
168   **Affected Release:** v2.0 and v1.6.1.
169
170Addressed in ACRN v1.6.1
171************************
172
173We recommend that all developers upgrade to this v1.6.1 release (or later), which
174addresses the following security issue that was discovered in previous releases:
175
176-----
177
178- Service VM kernel Crashes When Fuzzing HC_ASSIGN_PCIDEV and HC_DEASSIGN_PCIDEV
179   NULL pointer dereference due to invalid address of PCI device to be assigned or
180   de-assigned may result in kernel crash. The return value of 'pci_find_bus()' shall
181   be validated before using in 'update_assigned_vf_state()'.
182
183   **Affected Release:** v1.6.
184
185
186Addressed in ACRN v1.6
187**********************
188
189We recommend that all developers upgrade to this v1.6 release (or later), which
190addresses the following security issues that were discovered in previous releases:
191
192-----
193
194- Hypervisor Crashes When Fuzzing HC_DESTROY_VM
195   The input 'vdev->pdev' should be validated properly when handling
196   HC_SET_PTDEV_INTR_INFO to ensure that the physical device is linked to
197   'vdev'; otherwise, the hypervisor crashes when fuzzing the
198   hypercall HC_DESTROY_VM with crafted input.
199
200   **Affected Release:** v1.5 and earlier.
201
202- Hypervisor Crashes When Fuzzing HC_VM_WRITE_PROTECT_PAGE
203   The input GPA is not validated when handling this hypercall; an "Invalid
204   GPA" that is not in the scope of the target VM's EPT address space results
205   in the hypervisor crashing when handling this hypercall.
206
207   **Affected Release:** v1.4 and earlier.
208
209- Hypervisor Crashes When Fuzzing HC_NOTIFY_REQUEST_FINISH
210   The input is not validated properly when handing this hypercall;
211   'vcpu_id' should be less than 'vm->hw.created_vcpus' instead of
212   'MAX_VCPUS_PER_VM'. When the software fails to validate input properly,
213   the hypervisor crashes when handling crafted inputs.
214
215   **Affected Release:** v1.4 and earlier.
216
217
218Addressed in ACRN v1.4
219**********************
220
221We recommend that all developers upgrade to this v1.4 release (or later), which
222addresses the following security issues that were discovered in previous releases:
223
224-----
225
226- Mitigation for Machine Check Error on Page Size Change
227   Improper invalidation for page table updates by a virtual guest operating
228   system for multiple Intel(R) Processors may allow an authenticated user
229   to potentially enable denial of service of the host system via local
230   access. A malicious guest kernel could trigger this issue, CVE-2018-12207.
231
232   **Affected Release:** v1.3 and earlier.
233
234- AP Trampoline Is Accessible to the Service VM
235   This vulnerability is triggered when validating the memory isolation
236   between the VM and the hypervisor. The AP Trampoline code exists in the
237   LOW_RAM region of the hypervisor but is potentially accessible to the
238   Service VM. This could be used by an attacker to mount DoS attacks on the
239   hypervisor if the Service VM is compromised.
240
241   **Affected Release:** v1.3 and earlier.
242
243- Improper Usage Of the ``LIST_FOREACH()`` Macro
244   Testing discovered that the MACRO ``LIST_FOREACH()`` was incorrectly used
245   in some cases which could induce a "wild pointer" and cause the ACRN
246   Device Model to crash. Attackers can potentially use this issue to cause
247   denial of service (DoS) attacks.
248
249   **Affected Release:** v1.3 and earlier.
250
251- Hypervisor Crashes When Fuzzing HC_SET_CALLBACK_VECTOR
252   This vulnerability was reported by the Fuzzing tool for the debug version
253   of ACRN. When the software fails to validate input properly, an attacker
254   is able to craft the input in a form that is not expected by the rest of
255   the application. This can lead to parts of the system receiving
256   unintended inputs, which may result in an altered control flow, arbitrary
257   control of a resource, or arbitrary code execution.
258
259   **Affected Release:** v1.3 and earlier.
260
261- FILE Pointer Is Not Closed After Using
262   This vulnerability was reported by the Fuzzing tool. Leaving the file
263   unclosed will cause a leaking file descriptor and may cause unexpected
264   errors in the Device Model program.
265
266   **Affected Release:** v1.3 and earlier.
267
268- Descriptor of Directory Stream Is Referenced After Release
269   This vulnerability was reported by the Fuzzing tool. A successful call to
270   ``closedir(DIR *dirp)`` also closes the underlying file descriptor
271   associated with ``dirp``. Access to the released descriptor may point to
272   some arbitrary memory location or cause undefined behavior.
273
274   **Affected Release:** v1.3 and earlier.
275
276- Mutex Is Potentially Kept in a Locked State Forever
277   This vulnerability was reported by the Fuzzing tool. Here,
278   pthread_mutex_lock/unlock pairing was not always done. Leaving a mutex in
279   a locked state forever can cause program deadlock, depending on the usage
280   scenario.
281
282   **Affected Release:** v1.3 and earlier.
283