Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1YcuzQ-0005LQ-PR@xenbits.xen.org>
Date: Tue, 31 Mar 2015 12:09:52 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 125 (CVE-2015-2752) - Long latency MMIO
 mapping operations are not preemptible

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-2752 / XSA-125
                              version 3

       Long latency MMIO mapping operations are not preemptible

UPDATES IN VERSION 3
====================

CVE assigned.

Public release.

ISSUE DESCRIPTION
=================

The XEN_DOMCTL_memory_mapping hypercall allows long running operations
without implementing preemption.

This hypercall is used by the device model as part of the emulation
associated with configuration of PCI devices passed through to HVM
guests and is therefore indirectly exposed to those guests.

This can cause a physical CPU to become busy for a significant period,
leading to a host denial of service in some cases.

If a host denial of service is not triggered then it may instead be
possible to deny service to the domain running the device model,
e.g. domain 0.

This hypercall is also exposed more generally to all
toolstacks. However the uses of it in libxl based toolstacks are not
believed to open up any avenue of attack from an untrusted
guest. Other toolstacks may be vulnerable however.

IMPACT
======

The vulnerability is exposed via HVM guests which have a PCI device
assigned to them. A malicious HVM guest in such a configuration can
mount a denial of service attack affecting the whole system via its
associated device model (qemu-dm).

A guest is able to trigger this hypercall via operations which it is
legitimately expected to perform, therefore running the device model
as a stub domain does not offer protection against the host denial of
service issue. However it does offer some protection against secondary
issues such as denial of service against dom0.

VULNERABLE SYSTEMS
==================

The issue is exposed via x86 HVM VMs which have been assigned a PCI
device.

x86 PV domains, x86 HVM domains without passthrough devices and ARM
domains do not expose this vulnerability.

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

MITIGATION
==========

Running only PV guests will avoid this issue.

This issue can be avoided by not assigning devices with large MMIO
regions to untrusted HVM guests.

CREDITS
=======

This issue was discovered by Konrad Rzeszutek Wilk of Oracle.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa125.patch                 Xen 4.5.x, xen-unstable
xsa125-4.4.patch             Xen 4.4.x
xsa125-4.3.patch             Xen 4.3.x
xsa125-4.2.patch             Xen 4.2.x

$ sha256sum xsa125*.patch
be0c7cceb1af4b7b1341f37c1e20cf804ea3ac7d3c2ca2e5599f936479d5e0de  xsa125.patch
5f081407c2955787c6e40daa847f3c4131694dff3bb0bc0ee55495f555c7bb52  xsa125-4.2.patch
3b0641ef2a23f12872267940c408097cb353e57a6e0396a64cdf13592a14f65b  xsa125-4.3.patch
2180e657b34d8628d4e0157adf2a36904bb6feaf55d53338e4457ef77d867a31  xsa125-4.4.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJVGo5JAAoJEIP+FMlX6CvZlEAIAMdSMKpxum+J9IbUFCqcHFa4
F8zQDkz2hMCY3OjTAq9+n6KR2LLyKDn2hGDP0Mspbo67lRBEjSkp7KEXCoDrA294
YsVuJn8y0T3yPH9du3m0f2vi49MrhnxnUZLNyKCpkxTiClrC/7JX3OZxQTQIGpzf
EIsjYP+/w9ava5XYbGKorwlLvGpjRmnZpCDTrZlqKV2bK2O6pWzyvp5zD99FORcJ
YVRIGebKu8szbSHZs9ectt4xkZwYrzSjj0+PtryvwLSpSYi0zTWIu9rrgd/ZCXfL
tgD+i9zoc2E1ydPlvdKRXEdRHY9gGcaimfbTqYn1ttJ6qQcnbMoRQor4X+v92NU=
=m83F
-----END PGP SIGNATURE-----

Download attachment "xsa125.patch" of type "application/octet-stream" (5547 bytes)

Download attachment "xsa125-4.2.patch" of type "application/octet-stream" (5272 bytes)

Download attachment "xsa125-4.3.patch" of type "application/octet-stream" (5249 bytes)

Download attachment "xsa125-4.4.patch" of type "application/octet-stream" (5568 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.