[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 8 (CVE-2012-0218) - syscall/enter guest DoS



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

               Xen Security Advisory CVE-2012-0218 / XSA-8
                              version 7

     guest denial of service on syscall/sysenter exception generation

UPDATES IN VERSION 7
====================

Public release.  Previous versions were embargoed.

ISSUE DESCRIPTION
=================

When guest user code running inside a Xen guest operating system
attempts to execute a syscall or sysenter instruction, but when the
guest operating system has not registered a handler for that
instruction, a General Protection Fault may need to be injected into
the guest.

It has been discovered that the code in Xen which does this fails to
clear a flag requesting exception injection, with the result that a
future exception taken by the guest and handled entirely inside Xen
will also be injected into the guest despite Xen having handled it
already, probably crashing the guest.

IMPACT
======

User space processes on some guest operating systems may be able to
crash the guest.

VULNERABLE SYSTEMS
==================

HVM guests are not vulnerable.

32- and 64-bit PV guests may be vulnerable, depending on the CPU
hardware, the guest operating system, and its exact kernel version and
configuration.

MITIGATION
==========

This issue can be mitigated by running HVM (fully-virtualised).

In some cases this issue can be mitigated by upgrading the guest
kernel to one which installs hooks for sysenter and/or syscall, as
applicable.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

These patches also resolve the (more serious) issue described in
XSA-7 (CVE-2012-0217).

These changes have been made to the staging Xen repositories:
                    XSA-7:              XSA-8:
 xen-unstable.hg     25480:76eaf5966c05  25200:80f4113be500+25204:569d6f05e1ef
 xen-4.1-testing.hg  23299:f08e61b9b33f  23300:0fec1afa4638
 xen-4.0-testing.hg  21590:dd367837e089  21591:adb943a387c8
 xen-3.4-testing.hg  19996:894aa06e4f79  19997:ddb7578abb89

PATCH INFORMATION
=================

The attached patches resolve both this issue and that reported in
XSA-7 (CVE-2012-0217).

 xen-unstable 25204:569d6f05e1ef or later    xsa7-xsa8-unstable-recent.patch  
 xen-unstable 25199:6092641e3644 or earlier  xsa7-xsa8-unstable-apr16.patch
 Xen 4.1, 4.1.x                              xsa7-xsa8-xen-4.1.patch
 Xen 4.0, 4.0.x                              xsa7-xsa8-xen-4.0.patch
 Xen 3.4, 3.4.x                              xsa7-xsa8-xen-3.4.patch

$ sha256sum xsa7-xsa8-*patch
00853d799d24af16b17c8bbbdb5bb5144a8a7fad31467c4be3d879244774f8d2  
xsa7-xsa8-unstable-apr16.patch
71f9907a58c1a1cd601d8088faf8791923d78f77065b94dba8df2a61f512530d  
xsa7-xsa8-unstable-recent.patch
55fb925a7f4519ea31a0bc42d3ee83093bb7abd98b3a0e4f58591f1ae738840a  
xsa7-xsa8-xen-3.4.patch
6a7e39121ec1f134351fdf34f494d108500aaa4190a9f7965e81c4e96270924e  
xsa7-xsa8-xen-4.0.patch
52d8288718b4a833eb437fd18d92b7d412fbe01900dbd0b437744a1df4d459da  
xsa7-xsa8-xen-4.1.patch

NOTE REGARDING EMBARGO
======================

The fix for this issue has already been published as xen-unstable.hg
changesets 25200:80f4113be500 and 25204:569d6f05e1ef.  However, this
has not been flagged as a security problem, and since the affected
area of code is the same as that for XSA-7 (CVE-2012-0217), we have
concluded that this advisory should be under the same embargo as
XSA-7.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJP1yqMAAoJEIP+FMlX6CvZQRoH/1Do71YkaMvKoPo/VCHqUuB1
5mJve/SiTK5Y5kggnLfnpZeuLjlntHCT5F//Do7N21WDVdwZXFBItlvjhKyNGA0Y
ohqzqzAQ0c2l/mE3ToaLhhtuFb8U06q8Ud+pQ9QbMHHpJvGXPzDbNG12L/fZDwyf
ZbMqB2j8+TVuRXPlbdZabNUAcZ+HOJHb1NloKCbX0qwMG4p5FJ3OdkDX7r5OjPKj
sIJAaltBINGjRrqYMLB4UUQdrftu1ftfU/GFVYy8+t3uNj0fBgkCPUlGbbQs2SF2
+VtLUUG6rzVlRdHyhVMswz3sZtR7Tow6xwPk3Sr4yfrI15rH2pUJI7if8vZ1ZQ8=
=elZi
-----END PGP SIGNATURE-----

Attachment: xsa7-xsa8-unstable-recent.patch
Description: Binary data

Attachment: xsa7-xsa8-unstable-apr16.patch
Description: Binary data

Attachment: xsa7-xsa8-xen-4.1.patch
Description: Binary data

Attachment: xsa7-xsa8-xen-4.0.patch
Description: Binary data

Attachment: xsa7-xsa8-xen-3.4.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.