From xen-announce-bounces@lists.xen.org Tue Jul 09 14:15:24 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jul 2013 14:15:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UwYfs-00018Q-7K; Tue, 09 Jul 2013 14:13:48 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UwYbe-00010Q-Ae for xen-announce@lists.xen.org; Tue, 09 Jul 2013 14:09:26 +0000 Received: from [85.158.137.99:38042] by server-15.bemta-3.messagelabs.com id 55/87-03817-5991CD15; Tue, 09 Jul 2013 14:09:25 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-5.tower-217.messagelabs.com!1373378964!14875196!1 X-Originating-IP: [209.85.214.48] X-SpamReason: No, hits=0.2 required=7.0 tests=RCVD_ILLEGAL_IP X-StarScan-Received: X-StarScan-Version: 6.9.9; banners=-,-,- X-VirusChecked: Checked Received: (qmail 19820 invoked from network); 9 Jul 2013 14:09:24 -0000 Received: from mail-bk0-f48.google.com (HELO mail-bk0-f48.google.com) (209.85.214.48) by server-5.tower-217.messagelabs.com with RC4-SHA encrypted SMTP; 9 Jul 2013 14:09:24 -0000 Received: by mail-bk0-f48.google.com with SMTP id jf17so2356684bkc.21 for ; Tue, 09 Jul 2013 07:09:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:references:in-reply-to:x-forwarded-message-id:content-type :content-transfer-encoding; bh=lInocffqOQXzAFZZmCm1v2kurru3pgy06SA1BzRO4LQ=; b=fIpDYIAJzQr2bQ/uuwKkBa9i/YFWIIQanSt3jnFIGt4H36GPqSltnld2OhDpLYWl9G KbjuR7ss62+DkaQnPnKUwUDADAGrVMNccebh/ANlLSIR/zq4D1VqWsCaZ2lxTJfDZ85b SF/UzqBNRA+ZQnq6o4kBrFKRtMq+8JzdbhNQFeUMwlChhkoDauaxOBmT5GBA8EJ6a85H 4lHmXN7BGULXXqV3/l3UAC82NtKQT6LSkfrjbLfkRc/TP6HXHmjw7foMo371OtCJeJpT D2hNzcqmqBDrEq98B50RTiB2gpIcwLcWmoh5eqPqe7o96OWf/vMSHRPJjwJs2UaUfYU9 uwbg== X-Received: by 10.205.34.14 with SMTP id sq14mr4301532bkb.100.1373378964189; Tue, 09 Jul 2013 07:09:24 -0700 (PDT) Received: from [172.16.26.11] (054181f9.skybroadband.com. [5.65.129.249]) by mx.google.com with ESMTPSA id cb7sm5934977bkb.16.2013.07.09.07.09.22 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Tue, 09 Jul 2013 07:09:23 -0700 (PDT) Message-ID: <51DC1990.7070803@xen.org> Date: Tue, 09 Jul 2013 15:09:20 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: xen-announce@lists.xen.org References: In-Reply-To: X-Forwarded-Message-Id: X-Mailman-Approved-At: Tue, 09 Jul 2013 14:13:47 +0000 Subject: [Xen-announce] Xen 4.3 released! X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org The Xen Project team is pleased to announce the release of Xen 4.3. The result of nearly 10 of development, new features include: * Early support for ARM 32- and 64-bit architectures * qemu-upstream is now the default for VMs not using stub domains. * openvswitch hot-plug script support. * NUMA affinity for the scheduler * xl can now accept several USB devices, rather than only one. * XSM improvements. XSM can now override all IS_PRIV checks in the hypervisor. * As always, a number of stability, performance, and security enhancements "under the hood". Detailed release notes, including a more extensive feature list: http://wiki.xenproject.org/wiki/Xen_4.3_Release_Notes To download tarballs: http://www.xenproject.org/downloads/xen-archives/supported-xen-43-series/xen-430.html Or the git source repository (tag 'RELEASE-4.3.0'): http://xenbits.xen.org/gitweb/?p=xen.git And the announcement on the Xen blog: http://blog.xen.org/index.php/2013/07/09/xen-4-3-0-released/ Thanks to the many people who have contributed to this release! Regards, The Xen Project Team _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce From xen-announce-bounces@lists.xen.org Tue Jul 09 14:15:24 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 09 Jul 2013 14:15:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UwYfs-00018Q-7K; Tue, 09 Jul 2013 14:13:48 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UwYbe-00010Q-Ae for xen-announce@lists.xen.org; Tue, 09 Jul 2013 14:09:26 +0000 Received: from [85.158.137.99:38042] by server-15.bemta-3.messagelabs.com id 55/87-03817-5991CD15; Tue, 09 Jul 2013 14:09:25 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-5.tower-217.messagelabs.com!1373378964!14875196!1 X-Originating-IP: [209.85.214.48] X-SpamReason: No, hits=0.2 required=7.0 tests=RCVD_ILLEGAL_IP X-StarScan-Received: X-StarScan-Version: 6.9.9; banners=-,-,- X-VirusChecked: Checked Received: (qmail 19820 invoked from network); 9 Jul 2013 14:09:24 -0000 Received: from mail-bk0-f48.google.com (HELO mail-bk0-f48.google.com) (209.85.214.48) by server-5.tower-217.messagelabs.com with RC4-SHA encrypted SMTP; 9 Jul 2013 14:09:24 -0000 Received: by mail-bk0-f48.google.com with SMTP id jf17so2356684bkc.21 for ; Tue, 09 Jul 2013 07:09:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:references:in-reply-to:x-forwarded-message-id:content-type :content-transfer-encoding; bh=lInocffqOQXzAFZZmCm1v2kurru3pgy06SA1BzRO4LQ=; b=fIpDYIAJzQr2bQ/uuwKkBa9i/YFWIIQanSt3jnFIGt4H36GPqSltnld2OhDpLYWl9G KbjuR7ss62+DkaQnPnKUwUDADAGrVMNccebh/ANlLSIR/zq4D1VqWsCaZ2lxTJfDZ85b SF/UzqBNRA+ZQnq6o4kBrFKRtMq+8JzdbhNQFeUMwlChhkoDauaxOBmT5GBA8EJ6a85H 4lHmXN7BGULXXqV3/l3UAC82NtKQT6LSkfrjbLfkRc/TP6HXHmjw7foMo371OtCJeJpT D2hNzcqmqBDrEq98B50RTiB2gpIcwLcWmoh5eqPqe7o96OWf/vMSHRPJjwJs2UaUfYU9 uwbg== X-Received: by 10.205.34.14 with SMTP id sq14mr4301532bkb.100.1373378964189; Tue, 09 Jul 2013 07:09:24 -0700 (PDT) Received: from [172.16.26.11] (054181f9.skybroadband.com. [5.65.129.249]) by mx.google.com with ESMTPSA id cb7sm5934977bkb.16.2013.07.09.07.09.22 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Tue, 09 Jul 2013 07:09:23 -0700 (PDT) Message-ID: <51DC1990.7070803@xen.org> Date: Tue, 09 Jul 2013 15:09:20 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: xen-announce@lists.xen.org References: In-Reply-To: X-Forwarded-Message-Id: X-Mailman-Approved-At: Tue, 09 Jul 2013 14:13:47 +0000 Subject: [Xen-announce] Xen 4.3 released! X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org The Xen Project team is pleased to announce the release of Xen 4.3. The result of nearly 10 of development, new features include: * Early support for ARM 32- and 64-bit architectures * qemu-upstream is now the default for VMs not using stub domains. * openvswitch hot-plug script support. * NUMA affinity for the scheduler * xl can now accept several USB devices, rather than only one. * XSM improvements. XSM can now override all IS_PRIV checks in the hypervisor. * As always, a number of stability, performance, and security enhancements "under the hood". Detailed release notes, including a more extensive feature list: http://wiki.xenproject.org/wiki/Xen_4.3_Release_Notes To download tarballs: http://www.xenproject.org/downloads/xen-archives/supported-xen-43-series/xen-430.html Or the git source repository (tag 'RELEASE-4.3.0'): http://xenbits.xen.org/gitweb/?p=xen.git And the announcement on the Xen blog: http://blog.xen.org/index.php/2013/07/09/xen-4-3-0-released/ Thanks to the many people who have contributed to this release! Regards, The Xen Project Team _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce From xen-announce-bounces@lists.xen.org Wed Jul 24 11:38:34 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jul 2013 11:38:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1V1xNT-00045n-5O; Wed, 24 Jul 2013 11:37:07 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1V1xNR-00045L-KP; Wed, 24 Jul 2013 11:37:05 +0000 Received: from [85.158.139.83:38512] by server-11.bemta-5.messagelabs.com id 4A/DB-02024-06CBFE15; Wed, 24 Jul 2013 11:37:04 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-182.messagelabs.com!1374665822!26187363!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.11; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30420 invoked from network); 24 Jul 2013 11:37:03 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 24 Jul 2013 11:37:03 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1V1xNH-00046p-UJ; Wed, 24 Jul 2013 11:36:55 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1V1xNG-00008D-Po; Wed, 24 Jul 2013 11:36:55 +0000 Date: Wed, 24 Jul 2013 11:36:55 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-2212 / XSA-60 version 4 Excessive time to disable caching with HVM guests with PCI passthrough UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= HVM guests are able to manipulate their physical address space such that processing a subsequent request by that guest to disable caches takes an extended amount of time changing the cachability of the memory pages assigned to this guest. This applies only when the guest has been granted access to some memory mapped I/O region (typically by way of assigning a passthrough PCI device). This can cause the CPU which processes the request to become unavailable, possibly causing the hypervisor or a guest kernel (including the domain 0 one) to halt itself ("panic"). For reference, as long as no patch implementing an approved alternative solution is available (there's only a draft violating certain requirements set by Intel's documentation), the problematic code is the function vmx_set_uc_mode() (in that it calls ept_change_entry_emt_with_range() with the full guest GFN range, which the guest has control over, but which also would be a problem with sufficiently large but not malicious guests). IMPACT ====== A malicious domain, given access to a device with memory mapped I/O regions, can cause the host to become unresponsive for a period of time, potentially leading to a DoS affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 3.3 onwards is vulnerable. Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests, or by running HVM guests with shadow mode paging (through adding "hap=0" to the domain configuration file). CREDITS ======= Konrad Wilk found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== There is currently no resolution to this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJR77wrAAoJEIP+FMlX6CvZB5MH/ibfpjHuoGOIo7mWukld4NM5 UVIKC+rTrnkYhbF2f+xIM833+WAUjPuXZKZ6/EirDAPAAQCut2DouNvVdVnZ5cBx rq0N8l9wy0/dq/7kCyI3kAGFlJ3VYz7aM5+TTPFGfO7Yq3ohUNu2EE4vv/t5KVjD H4reh8UaA5QuRbdh3evCM9Vdt2syqi8JQwB5D2CJqrgAuFPwEVle8MLKSXWWb/+V KUy+mRAb1tN3jbWIev0TZ7Hm3x61yO60/WFzsQzkmkd+qWvC5btkWDg05K5DHC+Q yvFU3Y5u7J/ub00ZO4e9wjNDG5+ItQUK4xp8y5s65qx27P/eK9VLi8dvnHVMk04= =HUbY -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jul 24 11:38:34 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jul 2013 11:38:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1V1xNT-00045n-5O; Wed, 24 Jul 2013 11:37:07 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1V1xNR-00045L-KP; Wed, 24 Jul 2013 11:37:05 +0000 Received: from [85.158.139.83:38512] by server-11.bemta-5.messagelabs.com id 4A/DB-02024-06CBFE15; Wed, 24 Jul 2013 11:37:04 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-182.messagelabs.com!1374665822!26187363!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.11; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30420 invoked from network); 24 Jul 2013 11:37:03 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 24 Jul 2013 11:37:03 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1V1xNH-00046p-UJ; Wed, 24 Jul 2013 11:36:55 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1V1xNG-00008D-Po; Wed, 24 Jul 2013 11:36:55 +0000 Date: Wed, 24 Jul 2013 11:36:55 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-2212 / XSA-60 version 4 Excessive time to disable caching with HVM guests with PCI passthrough UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= HVM guests are able to manipulate their physical address space such that processing a subsequent request by that guest to disable caches takes an extended amount of time changing the cachability of the memory pages assigned to this guest. This applies only when the guest has been granted access to some memory mapped I/O region (typically by way of assigning a passthrough PCI device). This can cause the CPU which processes the request to become unavailable, possibly causing the hypervisor or a guest kernel (including the domain 0 one) to halt itself ("panic"). For reference, as long as no patch implementing an approved alternative solution is available (there's only a draft violating certain requirements set by Intel's documentation), the problematic code is the function vmx_set_uc_mode() (in that it calls ept_change_entry_emt_with_range() with the full guest GFN range, which the guest has control over, but which also would be a problem with sufficiently large but not malicious guests). IMPACT ====== A malicious domain, given access to a device with memory mapped I/O regions, can cause the host to become unresponsive for a period of time, potentially leading to a DoS affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 3.3 onwards is vulnerable. Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests, or by running HVM guests with shadow mode paging (through adding "hap=0" to the domain configuration file). CREDITS ======= Konrad Wilk found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== There is currently no resolution to this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJR77wrAAoJEIP+FMlX6CvZB5MH/ibfpjHuoGOIo7mWukld4NM5 UVIKC+rTrnkYhbF2f+xIM833+WAUjPuXZKZ6/EirDAPAAQCut2DouNvVdVnZ5cBx rq0N8l9wy0/dq/7kCyI3kAGFlJ3VYz7aM5+TTPFGfO7Yq3ohUNu2EE4vv/t5KVjD H4reh8UaA5QuRbdh3evCM9Vdt2syqi8JQwB5D2CJqrgAuFPwEVle8MLKSXWWb/+V KUy+mRAb1tN3jbWIev0TZ7Hm3x61yO60/WFzsQzkmkd+qWvC5btkWDg05K5DHC+Q yvFU3Y5u7J/ub00ZO4e9wjNDG5+ItQUK4xp8y5s65qx27P/eK9VLi8dvnHVMk04= =HUbY -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jul 24 14:02:16 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jul 2013 14:02:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1V1zcf-0001js-Jb; Wed, 24 Jul 2013 14:00:57 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1V1zcd-0001jc-6b; Wed, 24 Jul 2013 14:00:55 +0000 Received: from [85.158.139.83:43406] by server-12.bemta-5.messagelabs.com id 50/2F-22750-61EDFE15; Wed, 24 Jul 2013 14:00:54 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-182.messagelabs.com!1374674452!28921174!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.11; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30076 invoked from network); 24 Jul 2013 14:00:53 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 24 Jul 2013 14:00:53 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1V1zcU-0005ka-AV; Wed, 24 Jul 2013 14:00:46 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1V1zcU-0004Qf-2K; Wed, 24 Jul 2013 14:00:46 +0000 Date: Wed, 24 Jul 2013 14:00:46 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-2212 / XSA-60 version 5 Excessive time to disable caching with HVM guests with PCI passthrough UPDATES IN VERSION 5 ==================== Corrected credit. ISSUE DESCRIPTION ================= HVM guests are able to manipulate their physical address space such that processing a subsequent request by that guest to disable caches takes an extended amount of time changing the cachability of the memory pages assigned to this guest. This applies only when the guest has been granted access to some memory mapped I/O region (typically by way of assigning a passthrough PCI device). This can cause the CPU which processes the request to become unavailable, possibly causing the hypervisor or a guest kernel (including the domain 0 one) to halt itself ("panic"). For reference, as long as no patch implementing an approved alternative solution is available (there's only a draft violating certain requirements set by Intel's documentation), the problematic code is the function vmx_set_uc_mode() (in that it calls ept_change_entry_emt_with_range() with the full guest GFN range, which the guest has control over, but which also would be a problem with sufficiently large but not malicious guests). IMPACT ====== A malicious domain, given access to a device with memory mapped I/O regions, can cause the host to become unresponsive for a period of time, potentially leading to a DoS affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 3.3 onwards is vulnerable. Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests, or by running HVM guests with shadow mode paging (through adding "hap=0" to the domain configuration file). CREDITS ======= Zhenzhong Duan found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== There is currently no resolution to this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJR7932AAoJEIP+FMlX6CvZ8pUIAJFFqtelnwQ58gEM3XYmbBdo FXF9xPiykqCbRzSfbVohmSj3vmORUsI22m8kk1fsJmSayJr9P8nJaYLqdr4/tcMf gqDLqBFWiOf+O48ULFaPf7eDBnVUzYQXBAcEEkfInjenvYgclTmdMQUbFGCtr+/O 6BI8Y0NU6K5Nawu7n3VZK7j6D7VniwyNnIfgApK+k2PLdb9r9m4GQdQVulYOSw8h 8H49C3D6c1L6m63he6c3NiyjfLZbFZbcqZuJPMMM5IR/J025Om6Kxyxcmx4wCCog nnyOPjCalPe9zOdsQlOEbrvH/UV/4U1EzkiWR2hRLbOS9bFJ2YweQxhvn7k/TVk= =rRXP -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jul 24 14:02:16 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jul 2013 14:02:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1V1zcf-0001js-Jb; Wed, 24 Jul 2013 14:00:57 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1V1zcd-0001jc-6b; Wed, 24 Jul 2013 14:00:55 +0000 Received: from [85.158.139.83:43406] by server-12.bemta-5.messagelabs.com id 50/2F-22750-61EDFE15; Wed, 24 Jul 2013 14:00:54 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-182.messagelabs.com!1374674452!28921174!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.9.11; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30076 invoked from network); 24 Jul 2013 14:00:53 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 24 Jul 2013 14:00:53 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1V1zcU-0005ka-AV; Wed, 24 Jul 2013 14:00:46 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1V1zcU-0004Qf-2K; Wed, 24 Jul 2013 14:00:46 +0000 Date: Wed, 24 Jul 2013 14:00:46 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-2212 / XSA-60 version 5 Excessive time to disable caching with HVM guests with PCI passthrough UPDATES IN VERSION 5 ==================== Corrected credit. ISSUE DESCRIPTION ================= HVM guests are able to manipulate their physical address space such that processing a subsequent request by that guest to disable caches takes an extended amount of time changing the cachability of the memory pages assigned to this guest. This applies only when the guest has been granted access to some memory mapped I/O region (typically by way of assigning a passthrough PCI device). This can cause the CPU which processes the request to become unavailable, possibly causing the hypervisor or a guest kernel (including the domain 0 one) to halt itself ("panic"). For reference, as long as no patch implementing an approved alternative solution is available (there's only a draft violating certain requirements set by Intel's documentation), the problematic code is the function vmx_set_uc_mode() (in that it calls ept_change_entry_emt_with_range() with the full guest GFN range, which the guest has control over, but which also would be a problem with sufficiently large but not malicious guests). IMPACT ====== A malicious domain, given access to a device with memory mapped I/O regions, can cause the host to become unresponsive for a period of time, potentially leading to a DoS affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 3.3 onwards is vulnerable. Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests, or by running HVM guests with shadow mode paging (through adding "hap=0" to the domain configuration file). CREDITS ======= Zhenzhong Duan found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== There is currently no resolution to this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJR7932AAoJEIP+FMlX6CvZ8pUIAJFFqtelnwQ58gEM3XYmbBdo FXF9xPiykqCbRzSfbVohmSj3vmORUsI22m8kk1fsJmSayJr9P8nJaYLqdr4/tcMf gqDLqBFWiOf+O48ULFaPf7eDBnVUzYQXBAcEEkfInjenvYgclTmdMQUbFGCtr+/O 6BI8Y0NU6K5Nawu7n3VZK7j6D7VniwyNnIfgApK+k2PLdb9r9m4GQdQVulYOSw8h 8H49C3D6c1L6m63he6c3NiyjfLZbFZbcqZuJPMMM5IR/J025Om6Kxyxcmx4wCCog nnyOPjCalPe9zOdsQlOEbrvH/UV/4U1EzkiWR2hRLbOS9bFJ2YweQxhvn7k/TVk= =rRXP -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator--