xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
* Xen Security Advisory 181 - arm: Host crash caused by VMID exhaustion
@ 2016-06-03  9:47 Xen.org security team
  0 siblings, 0 replies; only message in thread
From: Xen.org security team @ 2016-06-03  9:47 UTC (permalink / raw)
  To: xen-announce, xen-devel, xen-users, oss-security; +Cc: Xen.org security team

[-- Attachment #1: Type: text/plain, Size: 2118 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-181

               arm: Host crash caused by VMID exhaustion

ISSUE DESCRIPTION
=================

VMIDs are a finite hardware resource, and allocated as part of domain
creation.  If no free VMIDs are available when trying to create a new domain,
a bug in the error path causes a NULL pointer to be used, resulting in a Data
Abort and host crash.

IMPACT
======

Attempting to create too many concurrent domains causes a host crash rather
than a graceful error.  A malicious device driver domain can hold references
to domains, preventing its VMID being released.

VULNERABLE SYSTEMS
==================

Xen versions 4.4 and later are affected.  Older Xen versions are unaffected.

x86 systems are not affected.

Only arm systems with less-privileged device driver domains can expose this
vulnerability.

MITIGATION
==========

There is no mitigation.  Not using driver domains reclassifies the problem,
but does not fix it.

NOTE REGARDING LACK OF EMBARGO
==============================

The crash was discussed publicly on xen-devel, before it was appreciated
that there was a security problem.

CREDITS
=======

This issue was discovered by Aaron Cornelius of DornerWorks.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa181.patch           xen-unstable, Xen 4.6.x, 4.5.x
xsa181-4.4.patch       Xen 4.4.x

$ sha256sum xsa181*
6756fcf44446675e5277f6d6c0e8a0aaa51a7909ad9a55af89a09367fded8733  xsa181.patch
97a90c7cb42466647622cb2ed98de531b7ba2e174a1bc639a32a6f1b626d503f  xsa181-4.4.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJXUVIbAAoJEIP+FMlX6CvZAe8IAIwe1A/05KM9PfJTCwb23WEs
pfSiEZy7KzmavYwzV4TLwzWuCNzkRAuEejvQ9dTFnk8ZBkCZIbAaMoCPJljK/8gg
oBcn0cXE9Kz9kWBk+JCWHynboVh010p+7DGlcvrxmAwxJCUjGy4YcajDZ4uGJoHA
pgJxIk/w4CIzF+AQYm7bRW8dHF3yym4V6dmR4pGqXeYS41XbMqpEenGBggoBeH+C
TJLUzaNZfATcPK5NUCqBD7IiQtHyYJT8xEtIKDH4hfjEzffydHbErDb/lKk3fxK0
ECzrhdWMExnkUX4VkC393QaqGf78P6sa+psfZt4I7DDFDI2uEvXYmgVXjOuvSpg=
=hUSO
-----END PGP SIGNATURE-----

[-- Attachment #2: xsa181.patch --]
[-- Type: application/octet-stream, Size: 1243 bytes --]

From ee488e2133e581967d13d5287d7bd654e9b2e2a6 Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Thu, 2 Jun 2016 14:19:00 +0100
Subject: [PATCH] xen/arm: Don't free p2m->root in p2m_teardown() before it has
 been allocated

If p2m_init() didn't complete successfully, (e.g. due to VMID
exhaustion), p2m_teardown() is called and unconditionally tries to free
p2m->root before it has been allocated.  free_domheap_pages() doesn't
tolerate NULL pointers.

This is XSA-181

Reported-by: Aaron Cornelius <Aaron.Cornelius@dornerworks.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
---
 xen/arch/arm/p2m.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index 838d004..6a19c57 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -1408,7 +1408,8 @@ void p2m_teardown(struct domain *d)
     while ( (pg = page_list_remove_head(&p2m->pages)) )
         free_domheap_page(pg);
 
-    free_domheap_pages(p2m->root, P2M_ROOT_ORDER);
+    if ( p2m->root )
+        free_domheap_pages(p2m->root, P2M_ROOT_ORDER);
 
     p2m->root = NULL;
 
-- 
2.1.4


[-- Attachment #3: xsa181-4.4.patch --]
[-- Type: application/octet-stream, Size: 1285 bytes --]

From 605a2711c411247920116a5026e772815b1168cd Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Thu, 2 Jun 2016 14:19:00 +0100
Subject: [PATCH] xen/arm: Don't free p2m->first_level in p2m_teardown() before
 it has been allocated

If p2m_init() didn't complete successfully, (e.g. due to VMID
exhaustion), p2m_teardown() is called and unconditionally tries to free
p2m->first_level before it has been allocated.  free_domheap_pages() doesn't
tolerate NULL pointers.

This is XSA-181

Reported-by: Aaron Cornelius <Aaron.Cornelius@dornerworks.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
---
 xen/arch/arm/p2m.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index aff7a2c..9cf6f91 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -615,7 +615,8 @@ void p2m_teardown(struct domain *d)
     while ( (pg = page_list_remove_head(&p2m->pages)) )
         free_domheap_page(pg);
 
-    free_domheap_pages(p2m->first_level, P2M_FIRST_ORDER);
+    if ( p2m->first_level )
+        free_domheap_pages(p2m->first_level, P2M_FIRST_ORDER);
 
     p2m->first_level = NULL;
 
-- 
2.1.4


[-- Attachment #4: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2016-06-03  9:47 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-03  9:47 Xen Security Advisory 181 - arm: Host crash caused by VMID exhaustion Xen.org security team

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).