[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 11 (CVE-2012-3433) - HVM destroy p2m host DoS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2012-3433 / XSA-11
                          version 3

        HVM guest destroy p2m teardown host DoS vulnerability

UPDATES IN VERSION 3
====================

Embargo ended Thursday 2012-08-09 12:00:00 UTC.

ISSUE DESCRIPTION
=================

An HVM guest is able to manipulate its physical address space such
that tearing down the guest takes an extended period amount of
time searching for shared pages.

This causes the domain 0 VCPU which tears down the domain to be
blocked in the destroy hypercall. This causes that domain 0 VCPU to
become unavailable and may cause the domain 0 kernel to panic.

There is no requirement for memory sharing to be in use.

IMPACT
======

A guest kernel can cause the host to become unresponsive for a period
of time, potentially leading to a DoS.

VULNERABLE SYSTEMS
==================

All systems running HVM guests with untrusted guest kernels.

This vulnerability effects only Xen 4.0 and 4.1. Xen 3.4 and earlier
and xen-unstable are not vulnerable.

MITIGATION
==========

This issue can be mitigated by running PV (para-virtualised) guests
only, or by ensuring (inside the guest) that the kernel is
trustworthy.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

NOTE REGARDING CVE
==================

We do not yet have a CVE Candidate number for this vulnerability.

PATCH INFORMATION
=================

The attached patches resolve this issue

 Xen 4.1, 4.1.x                              xsa11-4.1.patch
 Xen 4.0, 4.0.x                              xsa11-4.0.patch

$ sha256sum xsa11-*.patch
c8ab767d831b20a1b22c69a28127303c89cf0379cbf6f1ba3acfda6240aa2a89  
xsa11-4.0.patch
61c6424023a26a8b4ea591d0bff6969908091a1a1e1304567d0d910908f21e8d  
xsa11-4.1.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQI8/0AAoJEIP+FMlX6CvZ+fIH/R8w3J9KUiLiIai/QaA4xOjp
rkvdR40b0GzcllDQEy9bUCvRY3QPz7DRza90vLvxCL9R5OnbkRtGJxdmbxjwmoVX
zF03FLaFCd5ypFsTGAcxaUcxtOrt6Ut6R0i8GZp5BCkOV+UkNvu/uaOxL6N3UZ3w
HfCm88EAWsWeJuShiG5jY3BhgCeR7b3GV9uXP0vG5Pa7cwPGvMnx/E6OsC/zEMG2
7yTX0/AI4qKMT9XtiA024vloN1mMlRgN74ZIBqmPuDv5ggv1wLFseARWueYMBn8Y
aUDi97nJf+YWXIx+YwAmD0XLmJ/5tTAYvaV3B4vjMrfFc/plMKDvOqohVB+hv08=
=l4LY
-----END PGP SIGNATURE-----

# HG changeset patch
# User Ian Campbell <ian.campbell@xxxxxxxxxx>
# Date 1343123936 -3600
# Node ID 48ce1f45392708a70723e99fa80947958ae69732
# Parent  c6eb61ed6f04b4079525c3944b5a55268e1db4f1
xen: only check for shared pages while any exist on teardown

Avoids worst case behavour when guest has a large p2m.

This is XSA-11 / CVE-2012-nnn

Signed-off-by: Tim Deegan <tim@xxxxxxx>
Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
Tested-by: Olaf Hering <olaf@xxxxxxxxx>

diff -r c6eb61ed6f04 -r 48ce1f453927 xen/arch/x86/mm/p2m.c
--- a/xen/arch/x86/mm/p2m.c     Mon May 14 17:02:16 2012 +0100
+++ b/xen/arch/x86/mm/p2m.c     Tue Jul 24 10:58:56 2012 +0100
@@ -1725,6 +1725,8 @@ void p2m_teardown(struct domain *d)
 #ifdef __x86_64__
     for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ )
     {
+        if ( atomic_read(&d->shr_pages) == 0 )
+            break;
         mfn = p2m->get_entry(d, gfn, &t, p2m_query);
         if ( mfn_valid(mfn) && (t == p2m_ram_shared) )
             BUG_ON(mem_sharing_unshare_page(d, gfn, MEM_SHARING_DESTROY_GFN));

# HG changeset patch
# User Ian Campbell <ian.campbell@xxxxxxxxxx>
# Date 1343123777 -3600
# Node ID 83c979b30c9057dceb0a0bd2b6c19ab64616eb43
# Parent  3ce155e77f39d0c3cc787c1cc3d6bab1ef45a1dc
xen: only check for shared pages while any exist on teardown

Avoids worst case behavour when guest has a large p2m.

This is XSA-11 / CVE-2012-nnn

Signed-off-by: Tim Deegan <tim@xxxxxxx>
Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
Tested-by: Olaf Hering <olaf@xxxxxxxxx>

diff -r 3ce155e77f39 -r 83c979b30c90 xen/arch/x86/mm/p2m.c
--- a/xen/arch/x86/mm/p2m.c     Mon Jul 09 10:30:44 2012 +0100
+++ b/xen/arch/x86/mm/p2m.c     Tue Jul 24 10:56:17 2012 +0100
@@ -2044,6 +2044,8 @@ void p2m_teardown(struct p2m_domain *p2m
 #ifdef __x86_64__
     for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ )
     {
+        if ( atomic_read(&d->shr_pages) == 0 )
+            break;
         mfn = p2m->get_entry(p2m, gfn, &t, &a, p2m_query);
         if ( mfn_valid(mfn) && (t == p2m_ram_shared) )
             BUG_ON(mem_sharing_unshare_page(p2m, gfn, 
MEM_SHARING_DESTROY_GFN));

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.