Xen Security Advisory 252 - DoS via non-preemptable L3/L4 pagetable freeing

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Xen Security Advisory 252 - DoS via non-preemptable L3/L4 pagetable freeing

Xen.org security team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-252
                              version 2

             DoS via non-preemptable L3/L4 pagetable freeing

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Guests have the ability to request removal of memory from themselves.
This operation is intended to be requested for normal read/write pages,
but is also permitted to be used on other types of pages.  So far this
in particular included pages pinned to their current type, with the
necessary unpinning happening implicitly.  The unpinning of higher level
page tables can, however, take a significant amount of time, and hence
is generally expected to be carried out with intermediate preemption
checks.  Such checks were missing from the code path involved here.

IMPACT
======

A malicious guest administrator can cause a Denial of Service (DoS).
Specifically, prevent use of a physical CPU for a significant period of
time.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

Only x86 systems are affected.  ARM systems are not affected.

Only PV guests can leverage this vulnerability.  HVM guests cannot
leverage this vulnerability.

MITIGATION
==========

Running only HVM guests will avoid this issue.

CREDITS
=======

This issue was discovered by Jann Horn of Google Project Zero.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa252.patch           xen-unstable, Xen 4.10.0
xsa252-4.9.patch       Xen 4.9.x, Xen 4.8.x
xsa252-4.7.patch       Xen 4.7.x
xsa252-4.6.patch       Xen 4.6.x, Xen 4.5.x

$ sha256sum xsa252*
5bf651378b92520969cde49d11500bcaeffab15590d21c16736be408a85ab3fa  xsa252.meta
53174dfd05eb274431dc756c9c3a39b355d485d6c9d12a8797b350bab343d22e  xsa252.patch
b7ba005fa62ace07f4880cc79824968c24ead3182245e4ed3a6e22cf8d2d7c05  xsa252-4.6.patch
14f37eb6b7a9fb19b258ca3c0e2da71dbc4240e6273137d5eb4003b122101aa6  xsa252-4.7.patch
cb679f2145e76b1c754c4377b397d201007f50438ee18e451c4b0da3f510a293  xsa252-4.9.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJalUevAAoJEIP+FMlX6CvZaDEH/0MrInFkPbVr0OFNs8KHuZNh
5fz3sXFbf/7O0aTdFT5JJpwZaOngSyjnnKJKZMtsEHz52Nzs6o4xnYzqzNlemPJf
FG5NKjWgQI762H8Co4z65eWwHevfDo9a1XAy2LRHlbaNkGXMwic3B2VbhW2A0Hkp
nAATx19TpS21Fk4dK5+P8HCy+YN5RwPKKADE1Jps0MsCcSZ9NHcKfedokqpaD2DQ
XEWlfhclzHGLdrBGFWtvBUGuxUIioB/ovVQK/6q7/Go2nLNvkrU63tdiCchzpVLA
qXskJeatqqH/QnLXxhgzAQWf4rmjCU21l3Lh75ZK0xrRKAPFMOiPLuQ3VtVhcYA=
=sq8W
-----END PGP SIGNATURE-----

_______________________________________________
Xen-announce mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-announce

xsa252.meta (3K) Download Attachment
xsa252.patch (1K) Download Attachment
xsa252-4.6.patch (1K) Download Attachment
xsa252-4.7.patch (1K) Download Attachment
xsa252-4.9.patch (1K) Download Attachment