* Re: Xen Security Advisory 35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest
[not found] <E1TxcYd-0007H4-74@xenbits.xen.org>
@ 2013-01-22 21:09 ` M A Young
0 siblings, 0 replies; 3+ messages in thread
From: M A Young @ 2013-01-22 21:09 UTC (permalink / raw)
To: Xen.org security team; +Cc: xen-users, xen-announce, oss-security, xen-devel
On Tue, 22 Jan 2013, Xen.org security team wrote:
> To fix both XSA 34 and XSA 35, first apply xsa34-4.2.patch from XSA 34
> and then *also* apply xsa35-4.2-with-xsa34.patch from this advisory.
The xsa35-4.2-with-xsa34.patch patch is malformed,
@@ -3862,6 +3862,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
should be
@@ -3862,6 +3862,11 @@ long do_hvm_op(unsigned long op, XEN_GUE
Michael Young
^ permalink raw reply [flat|nested] 3+ messages in thread
* Xen Security Advisory 35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest
@ 2013-01-23 18:29 Xen.org security team
0 siblings, 0 replies; 3+ messages in thread
From: Xen.org security team @ 2013-01-23 18:29 UTC (permalink / raw)
To: xen-announce, xen-devel, xen-users, oss-security; +Cc: Xen.org security team
[-- Attachment #1: Type: text/plain, Size: 1961 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-0152 / XSA-35
version 4
Nested HVM exposes host to being driven out of memory by guest
UPDATES IN VERSION 4
====================
Fix corrupt patch xsa35-4.2-with-xsa34.patch.
ISSUE DESCRIPTION
=================
Guests are currently permitted to enable nested virtualization on
themselves. Missing error handling cleanup in the handling code makes
it possible for a guest, particularly a multi-vCPU one, to repeatedly
invoke this operation, thus causing a leak of - over time - unbounded
amounts of memory.
IMPACT
======
A malicious domain can mount a denial of service attack affecting the
whole system.
VULNERABLE SYSTEMS
==================
Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are
not vulnerable.
The vulnerability is only exposed by HVM guests.
MITIGATION
==========
Running only PV guests will avoid this vulnerability.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
To fix both XSA 34 and XSA 35, first apply xsa34-4.2.patch from XSA 34
and then *also* apply xsa35-4.2-with-xsa34.patch from this advisory.
To fix this issue without addressing XSA 34, use xsa35.patch.
$ sha256sum xsa35*.patch
4a103bf14dd060f702289db539a8c6c69496bdfd1de5d0c0468c3aab7b34f6a5 xsa35-4.2-with-xsa34.patch
e69b01033b0fa4c3d175697566d2f0b161337e8d206654919937f77721dbf866 xsa35.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRACvBAAoJEIP+FMlX6CvZhWgH/AmojPzrSnLIPmP+kyphQeYk
Yg00TDSm+rV8cmG6CE66r1WMibi1S/19yEkE6fJ1bgJtSBgcIqGls8NULPD+JvnH
6WmjktyH85LWcVbqNsjaPYAqyYOQJMMfmLDmW+ksc/SQgEH0zV4xAiA1iLIGJYRT
oEjIXg/m76hjsq9u/njprxHNIJH81K84Jh4wZkR7LIdZUxJgdIRHFcNIPhjNAEfP
k9jsfscuudU1bH7qJc/bJBbZFEnd6mw2zqn+M8UsLwow7A70x2JCAjCbplU1Zbxf
pe1P+E9upNFrsWXQ8O365ve6owaQP/CCcEDS9o2V+Fxc8ZjJ0nYJo3WWKIxQgqk=
=jAmO
-----END PGP SIGNATURE-----
[-- Attachment #2: xsa35-4.2-with-xsa34.patch --]
[-- Type: application/octet-stream, Size: 793 bytes --]
xen: Do not allow guests to enable nested HVM on themselves
There is no reason for this and doing so exposes a memory leak to
guests. Only toolstacks need write access to this HVM param.
This is XSA-35 / CVE-2013-0152.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3862,6 +3862,11 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg)
rc = -EINVAL;
break;
case HVM_PARAM_NESTEDHVM:
+ if ( !IS_PRIV(current->domain) )
+ {
+ rc = -EPERM;
+ break;
+ }
#ifdef __i386__
if ( a.value )
rc = -EINVAL;
[-- Attachment #3: xsa35.patch --]
[-- Type: application/octet-stream, Size: 919 bytes --]
xen: Do not allow guests to enable nested HVM on themselves
There is no reason for this and doing so exposes a memory leak to
guests. Only toolstacks need write access to this HVM param.
This is XSA-35 / CVE-2013-0152.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 40c1ab2..8264da7 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3871,6 +3871,11 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
rc = -EINVAL;
break;
case HVM_PARAM_NESTEDHVM:
+ if ( !IS_PRIV(current->domain) )
+ {
+ rc = -EPERM;
+ break;
+ }
if ( a.value > 1 )
rc = -EINVAL;
if ( !is_hvm_domain(d) )
[-- Attachment #4: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Xen Security Advisory 35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest
@ 2013-01-22 12:02 Xen.org security team
0 siblings, 0 replies; 3+ messages in thread
From: Xen.org security team @ 2013-01-22 12:02 UTC (permalink / raw)
To: xen-announce, xen-devel, xen-users, oss-security; +Cc: Xen.org security team
[-- Attachment #1: Type: text/plain, Size: 1931 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-0152 / XSA-35
version 3
Nested HVM exposes host to being driven out of memory by guest
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
Guests are currently permitted to enable nested virtualization on
themselves. Missing error handling cleanup in the handling code makes
it possible for a guest, particularly a multi-vCPU one, to repeatedly
invoke this operation, thus causing a leak of - over time - unbounded
amounts of memory.
IMPACT
======
A malicious domain can mount a denial of service attack affecting the
whole system.
VULNERABLE SYSTEMS
==================
Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are
not vulnerable.
The vulnerability is only exposed by HVM guests.
MITIGATION
==========
Running only PV guests will avoid this vulnerability.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
To fix both XSA 34 and XSA 35, first apply xsa34-4.2.patch from XSA 34
and then *also* apply xsa35-4.2-with-xsa34.patch from this advisory.
To fix this issue without addressing XSA 34, use xsa35.patch.
$ sha256sum xsa35*.patch
8372322e986bc2210f0d35b4d35a029301bd28fc1dffb789dff1436eb2024723 xsa35-4.2-with-xsa34.patch
e69b01033b0fa4c3d175697566d2f0b161337e8d206654919937f77721dbf866 xsa35.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJQ/ny+AAoJEIP+FMlX6CvZajwIAJ2/2xGmEbI44LFJ4rGehOY8
CZRlTzyPLUt1eVk6lD7qwX1ondGEAsFwLrZdFp+c08Cle7o2RT502EwptPGIRhkc
8pPjOgqWr/YjHC/B0VAoCZOF08HsIpDU2wiaxKhcFODNoeUb2z01OL5G+7I60HzV
54F70rCBx229Myhq9zqCV4a1XW+73k6NL7bpRICAME5fDy+8q4gcF0UDLv6MZmNV
PB9Ey2kiH6TMZO4Si+ekF4GQzfvje5/xTU/v0bHq6r7SxhHXq4aJ5e6jER0vlTsr
0HbE5uG/4LimCmc77q0ZiHOGg61gc/V1imfsUOTnnfaifw4qReCQHXpMAOdg9Ww=
=O88v
-----END PGP SIGNATURE-----
[-- Attachment #2: xsa35-4.2-with-xsa34.patch --]
[-- Type: application/octet-stream, Size: 773 bytes --]
xen: Do not allow guests to enable nested HVM on themselves
There is no reason for this and doing so exposes a memory leak to
guests. Only toolstacks need write access to this HVM param.
This is XSA-35 / CVE-2013-0152.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3862,6 +3862,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
rc = -EINVAL;
break;
case HVM_PARAM_NESTEDHVM:
+ if ( !IS_PRIV(current->domain) )
+ {
+ rc = -EPERM;
+ break;
+ }
#ifdef __i386__
if ( a.value )
rc = -EINVAL;
[-- Attachment #3: xsa35.patch --]
[-- Type: application/octet-stream, Size: 919 bytes --]
xen: Do not allow guests to enable nested HVM on themselves
There is no reason for this and doing so exposes a memory leak to
guests. Only toolstacks need write access to this HVM param.
This is XSA-35 / CVE-2013-0152.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 40c1ab2..8264da7 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3871,6 +3871,11 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
rc = -EINVAL;
break;
case HVM_PARAM_NESTEDHVM:
+ if ( !IS_PRIV(current->domain) )
+ {
+ rc = -EPERM;
+ break;
+ }
if ( a.value > 1 )
rc = -EINVAL;
if ( !is_hvm_domain(d) )
[-- Attachment #4: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-01-23 18:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <E1TxcYd-0007H4-74@xenbits.xen.org>
2013-01-22 21:09 ` Xen Security Advisory 35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest M A Young
2013-01-23 18:29 Xen.org security team
-- strict thread matches above, loose matches on Subject: below --
2013-01-22 12:02 Xen.org security team
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.