Xen project Mailing List

[Xen-devel] Xen Security Advisory 300 v1 - Linux: No grant table and foreign mapping limits

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Tue, 09 Jul 2019 13:55:58 +0000

Cc: "Xen.org security team" <security-team-members@xxxxxxx>

Delivery-date: Tue, 09 Jul 2019 13:56:20 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-300 Linux: No grant table and foreign mapping limits ISSUE DESCRIPTION ================= Virtual device backends and device models running in domain 0, or other backend driver domains, need to be able to map guest memory (either via grant mappings, or via the foreign mapping interface). For Linux to keep track of these mappings, it needs to have a page structure for each one. In practice the number of page structures is usually limited. In PV dom0, a range of pfns are typically set aside at boot ("pre-ballooned") for this purpose; for PVH and Arm dom0s, no memory is set aside to begin with. In either case, when more of this "foreign / grant map pfn space" is needed, dom0 will balloon out extra pages to use for this purpose. Unfortunately, in Linux, there are no limits, either on the total amount of memory which dom0 will attempt to balloon down to, nor on the amount of "foreign / grant map" memory which any individual guest can consume. As a result, a malicious guest may be able, with crafted requests to the backend, to cause dom0 to exhaust its own memory, leading to a host crash; and if this is not possible, it may be able to monopolize all of the foreign / grant map pfn space, starving out other guests. IMPACT ====== Guest may be able to crash domain 0 (Host Denial-of-Service); or may be able to starve out I/O requests from other guests (Guest Denial-of-Service). VULNERABLE SYSTEMS ================== All versions of Linux are vulnerable. All Arm dom0s are vulnerable; on x86, PVH dom0 is generally vulnerable, while PV dom0's vulnerability depends on what, if any, "dom0_mem=" option was passed to Xen. MITIGATION ========== On PV dom0, the amount of "pre-ballooned" memory can be increased by limiting dom0 memory via "dom0_mem=", but avoiding use of the "dom0_mem=max:<value>" form of the command line option, or by making the delta between "actual" and "maximum" sufficiently large. This makes the attack more difficult to accomplish. CREDITS ======= This issue was discovered by Julien Grall of ARM. RESOLUTION ========== Applying the appropriate attached patch resolves the domain 0 memory exhaustion issue. NOTE: This does NOT fix the guest starvation issue. Fixing fixing this issue is more complex, and it was determined that it was better to work on a robust fix for the issue in public. This advisory will be updated when fixes are available. xsa300-linux-5.1.patch Linux 4.4 ... 5.2-rc $ sha256sum xsa300* 9c8a9aec52b147f8e8ef41444e1dd11803bacf3bd4d0f6efa863b16f7a9621ac xsa300-linux-5.1.patch $ NOTE ON LACK OF EMBARGO ======================= The lack of predisclosure is due to a short schedule set by the discoverer, and efforts to resolve the advisory wording. DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl0knK4MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZVp0H/2P+7XAtIAS2owhUnTBPSmM/93LZBHr67DCGSoix afHEumj4b3omIssAEo912BXpG0tjzCBlStwacRDc/11Ku4XtB/hlr5TG89c2tfVd QMtvWeAdDjWE2YkwZ3TK5BgaYMwoUSMdwXtG2NGpVGFj4jy4AUL5e+sZKAiMTbl2 f3ursyyts/cgJTLq1KHfX3jVlqcRLvv0yGXLsZ0BQbktnEpptETPPtBvEQQ+Uqkb WjqxCvzmh0Szc9mnhLSxS2LDA6W/y/r37XawpwJIZNpE12+sQRZ48KqeFysTK4Yp MRZokgzOBOXfHVa25LpgtZzL5DmRR5AfWYkmgmIX8s7NaH8= =OKdx -----END PGP SIGNATURE-----

Attachment: xsa300-linux-5.1.patch
Description: Binary data

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.