* Xen Security Advisory 181 - arm: Host crash caused by VMID exhaustion
@ 2016-06-03 9:47 Xen.org security team
0 siblings, 0 replies; only message in thread
From: Xen.org security team @ 2016-06-03 9:47 UTC (permalink / raw)
To: xen-announce, xen-devel, xen-users, oss-security; +Cc: Xen.org security team
[-- Attachment #1: Type: text/plain, Size: 2118 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory XSA-181
arm: Host crash caused by VMID exhaustion
ISSUE DESCRIPTION
=================
VMIDs are a finite hardware resource, and allocated as part of domain
creation. If no free VMIDs are available when trying to create a new domain,
a bug in the error path causes a NULL pointer to be used, resulting in a Data
Abort and host crash.
IMPACT
======
Attempting to create too many concurrent domains causes a host crash rather
than a graceful error. A malicious device driver domain can hold references
to domains, preventing its VMID being released.
VULNERABLE SYSTEMS
==================
Xen versions 4.4 and later are affected. Older Xen versions are unaffected.
x86 systems are not affected.
Only arm systems with less-privileged device driver domains can expose this
vulnerability.
MITIGATION
==========
There is no mitigation. Not using driver domains reclassifies the problem,
but does not fix it.
NOTE REGARDING LACK OF EMBARGO
==============================
The crash was discussed publicly on xen-devel, before it was appreciated
that there was a security problem.
CREDITS
=======
This issue was discovered by Aaron Cornelius of DornerWorks.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa181.patch xen-unstable, Xen 4.6.x, 4.5.x
xsa181-4.4.patch Xen 4.4.x
$ sha256sum xsa181*
6756fcf44446675e5277f6d6c0e8a0aaa51a7909ad9a55af89a09367fded8733 xsa181.patch
97a90c7cb42466647622cb2ed98de531b7ba2e174a1bc639a32a6f1b626d503f xsa181-4.4.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJXUVIbAAoJEIP+FMlX6CvZAe8IAIwe1A/05KM9PfJTCwb23WEs
pfSiEZy7KzmavYwzV4TLwzWuCNzkRAuEejvQ9dTFnk8ZBkCZIbAaMoCPJljK/8gg
oBcn0cXE9Kz9kWBk+JCWHynboVh010p+7DGlcvrxmAwxJCUjGy4YcajDZ4uGJoHA
pgJxIk/w4CIzF+AQYm7bRW8dHF3yym4V6dmR4pGqXeYS41XbMqpEenGBggoBeH+C
TJLUzaNZfATcPK5NUCqBD7IiQtHyYJT8xEtIKDH4hfjEzffydHbErDb/lKk3fxK0
ECzrhdWMExnkUX4VkC393QaqGf78P6sa+psfZt4I7DDFDI2uEvXYmgVXjOuvSpg=
=hUSO
-----END PGP SIGNATURE-----
[-- Attachment #2: xsa181.patch --]
[-- Type: application/octet-stream, Size: 1243 bytes --]
From ee488e2133e581967d13d5287d7bd654e9b2e2a6 Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Thu, 2 Jun 2016 14:19:00 +0100
Subject: [PATCH] xen/arm: Don't free p2m->root in p2m_teardown() before it has
been allocated
If p2m_init() didn't complete successfully, (e.g. due to VMID
exhaustion), p2m_teardown() is called and unconditionally tries to free
p2m->root before it has been allocated. free_domheap_pages() doesn't
tolerate NULL pointers.
This is XSA-181
Reported-by: Aaron Cornelius <Aaron.Cornelius@dornerworks.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
---
xen/arch/arm/p2m.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index 838d004..6a19c57 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -1408,7 +1408,8 @@ void p2m_teardown(struct domain *d)
while ( (pg = page_list_remove_head(&p2m->pages)) )
free_domheap_page(pg);
- free_domheap_pages(p2m->root, P2M_ROOT_ORDER);
+ if ( p2m->root )
+ free_domheap_pages(p2m->root, P2M_ROOT_ORDER);
p2m->root = NULL;
--
2.1.4
[-- Attachment #3: xsa181-4.4.patch --]
[-- Type: application/octet-stream, Size: 1285 bytes --]
From 605a2711c411247920116a5026e772815b1168cd Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Thu, 2 Jun 2016 14:19:00 +0100
Subject: [PATCH] xen/arm: Don't free p2m->first_level in p2m_teardown() before
it has been allocated
If p2m_init() didn't complete successfully, (e.g. due to VMID
exhaustion), p2m_teardown() is called and unconditionally tries to free
p2m->first_level before it has been allocated. free_domheap_pages() doesn't
tolerate NULL pointers.
This is XSA-181
Reported-by: Aaron Cornelius <Aaron.Cornelius@dornerworks.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
---
xen/arch/arm/p2m.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index aff7a2c..9cf6f91 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -615,7 +615,8 @@ void p2m_teardown(struct domain *d)
while ( (pg = page_list_remove_head(&p2m->pages)) )
free_domheap_page(pg);
- free_domheap_pages(p2m->first_level, P2M_FIRST_ORDER);
+ if ( p2m->first_level )
+ free_domheap_pages(p2m->first_level, P2M_FIRST_ORDER);
p2m->first_level = NULL;
--
2.1.4
[-- Attachment #4: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2016-06-03 9:47 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-03 9:47 Xen Security Advisory 181 - arm: Host crash caused by VMID exhaustion Xen.org security team
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).