Xen project Mailing List

Xen Security Advisory 332 v3 - Rogue guests can cause DoS of Dom0 via high frequency events

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Tue, 20 Oct 2020 12:00:35 +0000

Cc: Xen.org security team <security-team-members@xxxxxxx>

Delivery-date: Tue, 20 Oct 2020 12:01:23 +0000

List-id: "Xen announcements $low volume$" <xen-announce.lists.xenproject.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-332 version 3 Rogue guests can cause DoS of Dom0 via high frequency events UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The handling of Xen events in the Linux kernel runs with interrupts disabled in a loop until no further event is pending. Whenever an event has been accepted by the kernel, another event can come in via the same event channel. This can result in the event handling loop running for an extended time if new events are coming in at a high rate. In extreme cases this can lead to a complete hang of the kernel, resulting in a DoS situation of the host when dom0 is affected. IMPACT ====== Malicious guests can hang the host by sending events to dom0 at a high frequency. VULNERABLE SYSTEMS ================== All systems with a Linux dom0 are affected. All Linux kernel versions are affected. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Julien Grall from Arm RESOLUTION ========== Applying the appropriate attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa332-linux-??.patch Linux $ sha256sum xsa332* 92d0789e8e5b9ec7ae0cd8b01ef31e27930dbe9b81b727521d46328107f3c719 xsa332-linux-01.patch 0bd82febcaf7fc72b88082f46cae9b67f39786d03b3e6aae5f0789cf855e6143 xsa332-linux-02.patch e646b7caf11ded7f22b209635b209f50ac583cbaeb3270148ce66a3cd922f0c1 xsa332-linux-03.patch 9bed2213774a8107a2f2c157aeb0ebfda7cc6384cee0a245017b3a9eb28cff7f xsa332-linux-04.patch 8839af506b71946db35f223ff614aa92b4386aaf95e4d8b1408fbf31436ff80f xsa332-linux-05.patch b261706bd7f7120fadff0e928be366924cfc13418c81a67ad45724b4179e8a5c xsa332-linux-06.patch fc0c963a9a965fc7a72468b1a1ce0834dc866e77392ca0c1d9c8162457a526a0 xsa332-linux-07.patch 5d821c58dd7fcdb157c2844ba34675305c320de25f54409305ffcba610d5922b xsa332-linux-08.patch 242eb83eca8e3b6d2d303e2943aa041b5f19ea54242cd0de20252d2ae3d128d1 xsa332-linux-09.patch 70a042006d1df3dbbefc4c7d4dfd50da8f3a8e47ee77c2d6d0ba1eda405ae574 xsa332-linux-10.patch ebbfa66d11b8c81353b72ed5f381672e6784a67895df482f7e791a9fb4c6fbf0 xsa332-linux-11.patch cda1cbcca19860d43804e80ec2d7d13b295a140b42aa7d16118bb2d20bd63cae xsa332-linux-12.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl+OzqQMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ3MIIAJR5SsBiZM7dhNHSJWMv1OXZK9MBpIxUgJuLY6da dlpsb6c5eb7ppAfHzkg+JABzc1hIKQkzKBL9n/tvP57KAWqnCbrPfk3/pVrvAf9E Vubra4+Ec8hY+8JqJsxHS6ZPyLzViFaE505pBEHlFOGZYkSgqM/s96SgoZtgMSpx pUpFGJCAUPZ7uR+urznM4QrWvvytsRbZo3fUrqn0f9WgMXFge0U9vE7Clt1yzZns J5nmYq2gBJkrMINreth8T7oDCx7l+I+Cq4yJ0hreUWCxp6svl7kbjI55sdlrI99O J7rXH6uaGEHSFfy/Zx4aek3eB5LP6Asgp2pQZkXOcSg8RLE= =q2XX -----END PGP SIGNATURE-----

Attachment: xsa332-linux-01.patch
Description: Binary data

Attachment: xsa332-linux-02.patch
Description: Binary data

Attachment: xsa332-linux-03.patch
Description: Binary data

Attachment: xsa332-linux-04.patch
Description: Binary data

Attachment: xsa332-linux-05.patch
Description: Binary data

Attachment: xsa332-linux-06.patch
Description: Binary data

Attachment: xsa332-linux-07.patch
Description: Binary data

Attachment: xsa332-linux-08.patch
Description: Binary data

Attachment: xsa332-linux-09.patch
Description: Binary data

Attachment: xsa332-linux-10.patch
Description: Binary data

Attachment: xsa332-linux-11.patch
Description: Binary data

Attachment: xsa332-linux-12.patch
Description: Binary data

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.