Xen project Mailing List

[Xen-devel] Xen Security Advisory 23 (CVE-2012-4538) - Unhooking empty PAE entries DoS vulnerability

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Tue, 13 Nov 2012 12:56:16 +0000

Cc: "Xen.org security team" <security@xxxxxxx>

Delivery-date: Tue, 13 Nov 2012 12:56:40 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-4538 / XSA-23 version 2 Unhooking empty PAE entries DoS vulnerability UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The HVMOP_pagetable_dying hypercall does not correctly check the caller's pagetable state, leading to a hypervisor crash. IMPACT ====== An HVM guest running on shadow pagetables (that is, not HAP) can cause the hypervisor to crash. VULNERABLE SYSTEMS ================== All Xen versions from 4.0 onwards are vulnerable, except that: - systems that run only PV guests are not vulnerable - systems that run all HVM guests using HAP (which is the default on hardware that supports it) are not vulnerable. MITIGATION ========== This issue can be avoided by running only PV guests or by running all HVM guests using hardware-assisited paging (HAP, also called NPT, RVI and EPT). Xen will run guests using HAP by default on hardware that supports it, unless it is disbled by putting 'hap=0' either on the xen hypervisor command-line or in the VM's configuration. You can check whether a particular machine supports HAP by looking at xen's boot messages. On Xen 4.1, 4.2 and unstable, Xen will print "HVM: Hardware Assisted Paging (HAP) detected" during boot; on xen 4.0 the message is "HVM: Hardware Assisted Paging detected". RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa23-4.0-4.1.patch Xen 4.0.x, 4.1.x xsa23-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa23*.patch f696d597481595b14ac9577d1dad05fc97da68568f52db74d62f2e3dcb2c7a6e xsa23-4.0-4.1.patch 70ffea07e58e4a747bf3ec103f656ba2cd0d8986722e6a72023c57d802c65964 xsa23-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQokGsAAoJEIP+FMlX6CvZTagH/iyB7+Y5Ug2+3o0minW/xYe5 sVoRIxYhOuKIoRZFVHn3WvXc2PkL/sVCg8PoQnxCs1v4etALl6TTwE9CuJYVgbR7 9OiN6l/NAg2Qbcg3W1j5Har0syOFL5ZkrvIZ3xvER1lsSINKFJ/HBYf9Oe3KUAaD ffzgRupB/AcETIClv9qwhmSVgjDyNWEae4TS5MzvdUM5dDcCObg/OpyvCGx2MbA8 SF/s9bSwmUcEboy1wOm4wkTWfEJUCsE/ftpQRsEZPESOOXG5u2QB+EI1pbZ1SObx yhbDGE1Ex3T9u88t+7bSiFn2CwNS7eWQwg7nKQ6P/8PlSwm8BFg7KBC+HUxHNW4= =stq6 -----END PGP SIGNATURE-----

Attachment: xsa23-4.0-4.1.patch
Description: Binary data

Attachment: xsa23-4.2-unstable.patch
Description: Binary data

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.