[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Xen Security Advisory 181 - arm: Host crash caused by VMID exhaustion



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-181

               arm: Host crash caused by VMID exhaustion

ISSUE DESCRIPTION
=================

VMIDs are a finite hardware resource, and allocated as part of domain
creation.  If no free VMIDs are available when trying to create a new domain,
a bug in the error path causes a NULL pointer to be used, resulting in a Data
Abort and host crash.

IMPACT
======

Attempting to create too many concurrent domains causes a host crash rather
than a graceful error.  A malicious device driver domain can hold references
to domains, preventing its VMID being released.

VULNERABLE SYSTEMS
==================

Xen versions 4.4 and later are affected.  Older Xen versions are unaffected.

x86 systems are not affected.

Only arm systems with less-privileged device driver domains can expose this
vulnerability.

MITIGATION
==========

There is no mitigation.  Not using driver domains reclassifies the problem,
but does not fix it.

NOTE REGARDING LACK OF EMBARGO
==============================

The crash was discussed publicly on xen-devel, before it was appreciated
that there was a security problem.

CREDITS
=======

This issue was discovered by Aaron Cornelius of DornerWorks.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa181.patch           xen-unstable, Xen 4.6.x, 4.5.x
xsa181-4.4.patch       Xen 4.4.x

$ sha256sum xsa181*
6756fcf44446675e5277f6d6c0e8a0aaa51a7909ad9a55af89a09367fded8733  xsa181.patch
97a90c7cb42466647622cb2ed98de531b7ba2e174a1bc639a32a6f1b626d503f  
xsa181-4.4.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJXUVIbAAoJEIP+FMlX6CvZAe8IAIwe1A/05KM9PfJTCwb23WEs
pfSiEZy7KzmavYwzV4TLwzWuCNzkRAuEejvQ9dTFnk8ZBkCZIbAaMoCPJljK/8gg
oBcn0cXE9Kz9kWBk+JCWHynboVh010p+7DGlcvrxmAwxJCUjGy4YcajDZ4uGJoHA
pgJxIk/w4CIzF+AQYm7bRW8dHF3yym4V6dmR4pGqXeYS41XbMqpEenGBggoBeH+C
TJLUzaNZfATcPK5NUCqBD7IiQtHyYJT8xEtIKDH4hfjEzffydHbErDb/lKk3fxK0
ECzrhdWMExnkUX4VkC393QaqGf78P6sa+psfZt4I7DDFDI2uEvXYmgVXjOuvSpg=
=hUSO
-----END PGP SIGNATURE-----

Attachment: xsa181.patch
Description: Binary data

Attachment: xsa181-4.4.patch
Description: Binary data

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.