-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory XSA-238
DMOP map/unmap missing argument checks
UPDATES IN VERSION 2
DMOPs (which were a subgroup of HVMOPs in older releases) allow guests
to control and drive other guests. The I/O request server page mapping
interface uses range sets to represent I/O resources the emulation of
which is provided by a given I/O request server. The internals of the
range set implementation require that ranges have a starting value no
lower than the ending one. Checks for this fact were missing.
Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.
Only domains controlling HVM guests can exploit this vulnerability.
(This includes domains providing hardware emulation services to HVM
Xen versions 4.5 and later are vulnerable. Xen versions 4.4 and
earlier are not vulnerable.
Only x86 systems are affected. ARM systems are not affected.
This vulnerability is only applicable to Xen systems using stub domains
or other forms of disaggregation of control domains for HVM guests.
Running only PV guests will avoid this issue.
(The security of a Xen system using stub domains is still better than
with a qemu-dm running as an unrestricted dom0 process. Therefore
users with these configurations should not switch to an unrestricted
This issue was discovered by Vitaly Kuznetsov of RedHat.
Applying the appropriate attached patch resolves this issue.
xsa238.patch xen-unstable, Xen 4.9.x, Xen 4.8.x, Xen 4.7.x
xsa238-4.6.patch Xen 4.6.x
xsa238-4.5.patch Xen 4.5.x
$ sha256sum xsa238*
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Xen-users mailing list
|Free forum by Nabble||Edit this page|