-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory XSA-262
qemu may drive Xen into unbounded loop
UPDATES IN VERSION 2
Updated .meta file
When Xen sends requests to a device model, the next expected action
inside Xen is tracked using a state field. The requests themselves
are placed in a memory page shared with the device model, so that the
device model can communicate to Xen its progress on the request. The
state field is in the request itself, where the device model may write
to it. Xen correctly rejects invalid state values, but failed to reject
invalid transitions between states. As a result, a device model which
switches a request between two states at the right times can drive Xen
into an unbounded loop.
A malicious unprivileged device model can cause a Denial of Service
(DoS) affecting the entire host. Specifically, it may prevent use of a
physical CPU for an indeterminate period of time.
All Xen versions are vulnerable.
Only x86 systems are affected. ARM systems are not affected.
Only HVM guests can expose this vulnerability. PV and PVH guests cannot
expose this vulnerability, but note that the domains being able to
leverage the vulnerability are PV or PVH ones, running the device model.
This vulnerability is only applicable to Xen systems using stub domains.
Running only PV or PVH guests will avoid this issue.
(The security of a Xen system using stub domains is still better than
with a qemu-dm running as an unrestricted dom0 process. Therefore
users with these configurations should not switch to an unrestricted
This issue was discovered by Jan Beulich of SUSE.
Applying the appropriate attached patch resolves this issue.
xsa262-4.10.patch Xen 4.10.x
xsa262-4.9.patch Xen 4.9.x, Xen 4.8.x, Xen 4.7.x
xsa262-4.6.patch Xen 4.6.x
$ sha256sum xsa262*
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Xen-announce mailing list
|Free forum by Nabble||Edit this page|