Xen users - Jul 2012 - Xen Security Advisory 10 - HVM guest user mode MMIO emulation DoS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                 Xen Security Advisory XSA-10

	 HVM guest user mode MMIO emulation DoS vulnerability

ISSUE DESCRIPTION
================
Internal data of the emulator for MMIO operations may, under
certain rare conditions, at the end of one emulation cycle be left
in a state affecting a subsequent emulation such that this second
emulation would fail, causing an exception to be reported to the
guest kernel where none is expected.

IMPACT
=====
Guest mode unprivileged (user) code, which has been granted
the privilege to access MMIO regions, may leverage that access
to crash the whole guest.

VULNERABLE SYSTEMS
=================
All HVM guests exposing MMIO ranges to unprivileged (user) mode.

All versions of Xen which support HVM guests are vulnerable to this issue.

MITIGATION
=========
This issue can be mitigated by running PV (para-virtualised)
guests only, or by ensuring (inside the guest) that MMIO regions
can be accessed only by trustworthy processes.

RESOLUTION
=========
Applying the appropriate attached patch will resolve the issue.

NOTE REGARDING CVE
=================
We do not yet have a CVE Candidate number for this vulnerability.

PATCH INFORMATION
================
The attached patches resolve this issue

$ sha256sum xsa10-*.patch
f96b7849194901d7f663895f88c2ca4f4721559f1c1fe13bba515336437ab912 
xsa10-4.x.patch
fb9dead017dfea99ad3e8d928582e67160c76518b7fe207d9a3324811baf06dd 
xsa10-unstable.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQEWB0AAoJEIP+FMlX6CvZYhUH+wVPIAAfKPp5p5TYvY90nAbR
O427AbXKDD0Gval78ygQSIiQIrmP0l5MZdx/FsXfw5cXyNHWJDHrwzA9jXzfYeor
boFvYCjdgyeh6cBM7BR2OFgoB+v3KmMSZOSDfH87SYzZTpK1+2ImDgsoaI5cqUMN
x92bXzqohZhcG/5PBhdVaEdj3KTGCHZYwjieUdi5BbWsQry9Rzd7nV6TsRHAaBkW
+9s3XxtobMNMJyr2t7ZKO1YwfLSprpfFcZk4zfdLLFMBvvPoF7V+Pi3PJ+8S38QN
YcyhPoLgoTqSKZ7buyMux9JwSzn8yi4ETMHMTc3VGFQZQwnlNeMWVEUG2CiYVn8=H0Nc
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/26/2012 09:30 AM, Xen.org security team wrote:
> 
> Xen Security Advisory XSA-10
> 
> HVM guest user mode MMIO emulation DoS vulnerability
> 
> ISSUE DESCRIPTION ================> 
> Internal data of the emulator for MMIO operations may, under 
> certain rare conditions, at the end of one emulation cycle be left 
> in a state affecting a subsequent emulation such that this second 
> emulation would fail, causing an exception to be reported to the 
> guest kernel where none is expected.
> 
> IMPACT =====> 
> Guest mode unprivileged (user) code, which has been granted the
> privilege to access MMIO regions, may leverage that access to crash
> the whole guest.
> 
> VULNERABLE SYSTEMS =================> 
> All HVM guests exposing MMIO ranges to unprivileged (user) mode.
> 
> All versions of Xen which support HVM guests are vulnerable to this
> issue.
> 
> MITIGATION =========> 
> This issue can be mitigated by running PV (para-virtualised) guests
> only, or by ensuring (inside the guest) that MMIO regions can be
> accessed only by trustworthy processes.
> 
> RESOLUTION =========> 
> Applying the appropriate attached patch will resolve the issue.
> 
> NOTE REGARDING CVE =================> 
> We do not yet have a CVE Candidate number for this vulnerability.
> 
> PATCH INFORMATION ================> 
> The attached patches resolve this issue
> 
> $ sha256sum xsa10-*.patch 
> f96b7849194901d7f663895f88c2ca4f4721559f1c1fe13bba515336437ab912
> xsa10-4.x.patch 
> fb9dead017dfea99ad3e8d928582e67160c76518b7fe207d9a3324811baf06dd
> xsa10-unstable.patch
Please use CVE-2012-3432 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQEkzcAAoJEBYNRVNeJnmTBi8QANKeCCOiniLKp5+1LvYXr3rE
uV9UijoVTBu6WNtB2L9NXRrenHBvGv38+tmVVg7pCqHkU9nrzhmg4zc8qZY8LJ/V
/ZnYuVoWZ/hG+KNi8/NQIiDAiDu4Ip9NnMSW9SdYPVEFSQN4JCQufYOxjCGNzOj1
QidDoyb7i63UAFXj4nvdFmJKVYSvegI+H46vGVkQabBdZ2LXuCHYCw54ZZ0nFqKj
LU3t/468DmBn1Gk2EUdufV/NWxWpD33pjwTkMFbYH/C5cSHUMx6UUkD48EWu0YAs
MxjigqXHKiXEPsoyfULppRTaxE969MsWDhrjrptymZjasmcXl+v/opmVYT9DJ1gF
pAHU0o862p1gcdhBuk/n2DB8HFSk5MJbytDz0KzxgEDrqhFO4AIeAVq6//wXPnym
nxNTY/6MQazc+S+coiNvBAtr1sT6CWgHsd0DLLQh/PQZ1DVDKRfufd9LfI7PdPFH
gjHp81MArk39vFM5vT01Ac0aG4pj8kTwpTHwt84VL05hj6R/GcB56/526fmmgnan
6KlwufXZkZjP6lteIeidK9NVOhRId5VEL0EguQAc5z8cavl6oD1P+AaECZct+h5r
jMHxeQSf0ggQL6zRGBOU6Dlt2+Cg4FjRpWO8iGe0PlZb+XTFUsPk8/OWEKHa2Rlp
tXhMnEfhzvKZLMg53D+S
=qRMf
-----END PGP SIGNATURE-----