[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 10 (CVE-2012-3432) - HVM user mode MMIO emul DoS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


            Xen Security Advisory CVE-2012-3432 / XSA-10
                          version 2

         HVM guest user mode MMIO emulation DoS vulnerability

UPDATES IN VERSION 2
====================

CVE candidate number assigned.

Xen versions 3.2 and earlier are not, in fact, vulnerable; they have
an entirely different emulation mechanism.

ISSUE DESCRIPTION
=================

Internal data of the emulator for MMIO operations may, under
certain rare conditions, at the end of one emulation cycle be left
in a state affecting a subsequent emulation such that this second
emulation would fail, causing an exception to be reported to the
guest kernel where none is expected.

IMPACT
======

Guest mode unprivileged (user) code, which has been granted
the privilege to access MMIO regions, may leverage that access
to crash the whole guest.

VULNERABLE SYSTEMS
==================

All HVM guests exposing MMIO ranges to unprivileged (user) mode.

Xen versions 3.3 and later are vulnerable to this issue.

MITIGATION
==========

This issue can be mitigated by running PV (para-virtualised)
guests only, or by ensuring (inside the guest) that MMIO regions
can be accessed only by trustworthy processes.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

PATCH INFORMATION
=================

The attached patches resolve this issue

$ sha256sum xsa10-*.patch
f96b7849194901d7f663895f88c2ca4f4721559f1c1fe13bba515336437ab912  
xsa10-4.x.patch
fb9dead017dfea99ad3e8d928582e67160c76518b7fe207d9a3324811baf06dd  
xsa10-unstable.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQEqbqAAoJEIP+FMlX6CvZEhIIALkIViTZtEbQ6nWy3Y1U/sm5
BDZUPOeqF5KFV9EXQJcoKM1PGBMBgzeqA4n024k6o9mDimn0PVujSJC+2iX728Sz
WW/k5y96q2ixzTmaU0y8X5p6pl+nbCNMQ8In7WysB2XetGHY+b5b80uIVH1Sj1IS
QxrMO2HywQSUDNNQq3bD2jQjuIgewh7rMskxXiPWnlPg7MHx4D/jt/O4sP0bnZn2
kvFad8TV9aB3I1dwdI2YJ3Ng3W162Tai6i2lJB1OQUJt0sIARXeXZYVOrkkAY5Tv
SjNCCra0NZoaLjOlY0CWwqluPegJAnq1iFb5cF86nwZcoMCIh9OL+0SLyIJEAvg=
=sOWo
-----END PGP SIGNATURE-----

x86/hvm: don't leave emulator in inconsistent state

The fact that handle_mmio(), and thus the instruction emulator, is
being run through twice for emulations that require involvement of the
device model, allows for the second run to see a different guest state
than the first one. Since only the MMIO-specific emulation routines
update the vCPU's io_state, if they get invoked on the second pass,
internal state (and particularly this variable) can be left in a state
making successful emulation of a subsequent MMIO operation impossible.

Consequently, whenever the emulator invocation returns without
requesting a retry of the guest instruction, reset io_state.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Keir Fraser <keir@xxxxxxx>

--- a/xen/arch/x86/hvm/io.c
+++ b/xen/arch/x86/hvm/io.c
@@ -176,6 +176,8 @@ int handle_mmio(void)
 
     rc = hvm_emulate_one(&ctxt);
 
+    if ( rc != X86EMUL_RETRY )
+        curr->arch.hvm_vcpu.io_state = HVMIO_none;
     if ( curr->arch.hvm_vcpu.io_state == HVMIO_awaiting_completion )
         curr->arch.hvm_vcpu.io_state = HVMIO_handle_mmio_awaiting_completion;
     else

x86/hvm: don't leave emulator in inconsistent state

The fact that handle_mmio(), and thus the instruction emulator, is
being run through twice for emulations that require involvement of the
device model, allows for the second run to see a different guest state
than the first one. Since only the MMIO-specific emulation routines
update the vCPU's io_state, if they get invoked on the second pass,
internal state (and particularly this variable) can be left in a state
making successful emulation of a subsequent MMIO operation impossible.

Consequently, whenever the emulator invocation returns without
requesting a retry of the guest instruction, reset io_state.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Keir Fraser <keir@xxxxxxx>

--- a/xen/arch/x86/hvm/io.c
+++ b/xen/arch/x86/hvm/io.c
@@ -179,6 +179,8 @@ int handle_mmio(void)
 
     rc = hvm_emulate_one(&ctxt);
 
+    if ( rc != X86EMUL_RETRY )
+        vio->io_state = HVMIO_none;
     if ( vio->io_state == HVMIO_awaiting_completion )
         vio->io_state = HVMIO_handle_mmio_awaiting_completion;
     else


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.