[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 10 - HVM guest user mode MMIO emulation DoS

To: xen-announce@xxxxxxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx
From: Xen.org security team <security@xxxxxxx>
Date: Thu, 26 Jul 2012 16:30:43 +0100
Delivery-date: Thu, 26 Jul 2012 15:31:04 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                 Xen Security Advisory XSA-10

         HVM guest user mode MMIO emulation DoS vulnerability

ISSUE DESCRIPTION
=================

Internal data of the emulator for MMIO operations may, under
certain rare conditions, at the end of one emulation cycle be left
in a state affecting a subsequent emulation such that this second
emulation would fail, causing an exception to be reported to the
guest kernel where none is expected.

IMPACT
======

Guest mode unprivileged (user) code, which has been granted
the privilege to access MMIO regions, may leverage that access
to crash the whole guest.

VULNERABLE SYSTEMS
==================

All HVM guests exposing MMIO ranges to unprivileged (user) mode.

All versions of Xen which support HVM guests are vulnerable to this issue.

MITIGATION
==========

This issue can be mitigated by running PV (para-virtualised)
guests only, or by ensuring (inside the guest) that MMIO regions
can be accessed only by trustworthy processes.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

NOTE REGARDING CVE
==================

We do not yet have a CVE Candidate number for this vulnerability.

PATCH INFORMATION
=================

The attached patches resolve this issue

$ sha256sum xsa10-*.patch
f96b7849194901d7f663895f88c2ca4f4721559f1c1fe13bba515336437ab912  
xsa10-4.x.patch
fb9dead017dfea99ad3e8d928582e67160c76518b7fe207d9a3324811baf06dd  
xsa10-unstable.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQEWB0AAoJEIP+FMlX6CvZYhUH+wVPIAAfKPp5p5TYvY90nAbR
O427AbXKDD0Gval78ygQSIiQIrmP0l5MZdx/FsXfw5cXyNHWJDHrwzA9jXzfYeor
boFvYCjdgyeh6cBM7BR2OFgoB+v3KmMSZOSDfH87SYzZTpK1+2ImDgsoaI5cqUMN
x92bXzqohZhcG/5PBhdVaEdj3KTGCHZYwjieUdi5BbWsQry9Rzd7nV6TsRHAaBkW
+9s3XxtobMNMJyr2t7ZKO1YwfLSprpfFcZk4zfdLLFMBvvPoF7V+Pi3PJ+8S38QN
YcyhPoLgoTqSKZ7buyMux9JwSzn8yi4ETMHMTc3VGFQZQwnlNeMWVEUG2CiYVn8=
=H0Nc
-----END PGP SIGNATURE-----

Attachment: xsa10-unstable.patch
Description: Binary data

Attachment: xsa10-4.x.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [oss-security] Xen Security Advisory 10 - HVM guest user mode MMIO emulation DoS
  - From: Kurt Seifried

Prev by Date: Re: [Xen-devel] [PATCH] serial: don't waste space allocated for the tx buffer(s)
Next by Date: Re: [Xen-devel] [PATCH] x86-64: drop updating of UREGS_rip when converting sysenter to #GP
Previous by thread: [Xen-devel] [PATCH] x86-64: drop updating of UREGS_rip when converting sysenter to #GP
Next by thread: Re: [Xen-devel] [oss-security] Xen Security Advisory 10 - HVM guest user mode MMIO emulation DoS
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.