Xen Security Advisory 235 - add-to-physmap error paths fail to release lock on ARM
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory XSA-235
add-to-physmap error paths fail to release lock on ARM
When dealing with the grant map space of add-to-physmap operations,
ARM specific code recognizes a number of error conditions, but fails
to release a lock being held on the respective exit paths.
A malicious guest administrator can cause a denial of service.
Specifically, prevent use of a physical CPU for an indefinite period
Xen versions 4.4 and later are vulnerable. Xen versions 4.3 and
earlier are not vulnerable.
Only ARM systems are affected. X86 systems are not affected.
On systems where the guest kernel is controlled by the host rather than
guest administrator, running only kernels which only issue sane
hypercalls will prevent untrusted guest users from exploiting this
issue. However untrusted guest administrators can still trigger it
unless further steps are taken to prevent them from loading code into
the kernel (e.g by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.
This issue was discovered by Wei Liu of Citrix.
Applying the appropriate attached patch resolves this issue.