[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-users] Xen Security Advisory 11 (CVE-2012-3433) - HVM destroy p2m host DoS
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3433 / XSA-11 version 3 HVM guest destroy p2m teardown host DoS vulnerability UPDATES IN VERSION 3 ==================== Embargo ended Thursday 2012-08-09 12:00:00 UTC. ISSUE DESCRIPTION ================= An HVM guest is able to manipulate its physical address space such that tearing down the guest takes an extended period amount of time searching for shared pages. This causes the domain 0 VCPU which tears down the domain to be blocked in the destroy hypercall. This causes that domain 0 VCPU to become unavailable and may cause the domain 0 kernel to panic. There is no requirement for memory sharing to be in use. IMPACT ====== A guest kernel can cause the host to become unresponsive for a period of time, potentially leading to a DoS. VULNERABLE SYSTEMS ================== All systems running HVM guests with untrusted guest kernels. This vulnerability effects only Xen 4.0 and 4.1. Xen 3.4 and earlier and xen-unstable are not vulnerable. MITIGATION ========== This issue can be mitigated by running PV (para-virtualised) guests only, or by ensuring (inside the guest) that the kernel is trustworthy. RESOLUTION ========== Applying the appropriate attached patch will resolve the issue. NOTE REGARDING CVE ================== We do not yet have a CVE Candidate number for this vulnerability. PATCH INFORMATION ================= The attached patches resolve this issue Xen 4.1, 4.1.x xsa11-4.1.patch Xen 4.0, 4.0.x xsa11-4.0.patch $ sha256sum xsa11-*.patch c8ab767d831b20a1b22c69a28127303c89cf0379cbf6f1ba3acfda6240aa2a89 xsa11-4.0.patch 61c6424023a26a8b4ea591d0bff6969908091a1a1e1304567d0d910908f21e8d xsa11-4.1.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQI8/0AAoJEIP+FMlX6CvZ+fIH/R8w3J9KUiLiIai/QaA4xOjp rkvdR40b0GzcllDQEy9bUCvRY3QPz7DRza90vLvxCL9R5OnbkRtGJxdmbxjwmoVX zF03FLaFCd5ypFsTGAcxaUcxtOrt6Ut6R0i8GZp5BCkOV+UkNvu/uaOxL6N3UZ3w HfCm88EAWsWeJuShiG5jY3BhgCeR7b3GV9uXP0vG5Pa7cwPGvMnx/E6OsC/zEMG2 7yTX0/AI4qKMT9XtiA024vloN1mMlRgN74ZIBqmPuDv5ggv1wLFseARWueYMBn8Y aUDi97nJf+YWXIx+YwAmD0XLmJ/5tTAYvaV3B4vjMrfFc/plMKDvOqohVB+hv08= =l4LY -----END PGP SIGNATURE----- # HG changeset patch # User Ian Campbell <ian.campbell@xxxxxxxxxx> # Date 1343123936 -3600 # Node ID 48ce1f45392708a70723e99fa80947958ae69732 # Parent c6eb61ed6f04b4079525c3944b5a55268e1db4f1 xen: only check for shared pages while any exist on teardown Avoids worst case behavour when guest has a large p2m. This is XSA-11 / CVE-2012-nnn Signed-off-by: Tim Deegan <tim@xxxxxxx> Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx> Tested-by: Olaf Hering <olaf@xxxxxxxxx> diff -r c6eb61ed6f04 -r 48ce1f453927 xen/arch/x86/mm/p2m.c --- a/xen/arch/x86/mm/p2m.c Mon May 14 17:02:16 2012 +0100 +++ b/xen/arch/x86/mm/p2m.c Tue Jul 24 10:58:56 2012 +0100 @@ -1725,6 +1725,8 @@ void p2m_teardown(struct domain *d) #ifdef __x86_64__ for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ ) { + if ( atomic_read(&d->shr_pages) == 0 ) + break; mfn = p2m->get_entry(d, gfn, &t, p2m_query); if ( mfn_valid(mfn) && (t == p2m_ram_shared) ) BUG_ON(mem_sharing_unshare_page(d, gfn, MEM_SHARING_DESTROY_GFN)); # HG changeset patch # User Ian Campbell <ian.campbell@xxxxxxxxxx> # Date 1343123777 -3600 # Node ID 83c979b30c9057dceb0a0bd2b6c19ab64616eb43 # Parent 3ce155e77f39d0c3cc787c1cc3d6bab1ef45a1dc xen: only check for shared pages while any exist on teardown Avoids worst case behavour when guest has a large p2m. This is XSA-11 / CVE-2012-nnn Signed-off-by: Tim Deegan <tim@xxxxxxx> Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx> Tested-by: Olaf Hering <olaf@xxxxxxxxx> diff -r 3ce155e77f39 -r 83c979b30c90 xen/arch/x86/mm/p2m.c --- a/xen/arch/x86/mm/p2m.c Mon Jul 09 10:30:44 2012 +0100 +++ b/xen/arch/x86/mm/p2m.c Tue Jul 24 10:56:17 2012 +0100 @@ -2044,6 +2044,8 @@ void p2m_teardown(struct p2m_domain *p2m #ifdef __x86_64__ for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ ) { + if ( atomic_read(&d->shr_pages) == 0 ) + break; mfn = p2m->get_entry(p2m, gfn, &t, &a, p2m_query); if ( mfn_valid(mfn) && (t == p2m_ram_shared) ) BUG_ON(mem_sharing_unshare_page(p2m, gfn, MEM_SHARING_DESTROY_GFN)); _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |