Xen.org security team
2012-Jul-26 15:30 UTC
Xen Security Advisory 10 - HVM guest user mode MMIO emulation DoS
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-10 HVM guest user mode MMIO emulation DoS vulnerability ISSUE DESCRIPTION ================ Internal data of the emulator for MMIO operations may, under certain rare conditions, at the end of one emulation cycle be left in a state affecting a subsequent emulation such that this second emulation would fail, causing an exception to be reported to the guest kernel where none is expected. IMPACT ===== Guest mode unprivileged (user) code, which has been granted the privilege to access MMIO regions, may leverage that access to crash the whole guest. VULNERABLE SYSTEMS ================= All HVM guests exposing MMIO ranges to unprivileged (user) mode. All versions of Xen which support HVM guests are vulnerable to this issue. MITIGATION ========= This issue can be mitigated by running PV (para-virtualised) guests only, or by ensuring (inside the guest) that MMIO regions can be accessed only by trustworthy processes. RESOLUTION ========= Applying the appropriate attached patch will resolve the issue. NOTE REGARDING CVE ================= We do not yet have a CVE Candidate number for this vulnerability. PATCH INFORMATION ================ The attached patches resolve this issue $ sha256sum xsa10-*.patch f96b7849194901d7f663895f88c2ca4f4721559f1c1fe13bba515336437ab912 xsa10-4.x.patch fb9dead017dfea99ad3e8d928582e67160c76518b7fe207d9a3324811baf06dd xsa10-unstable.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQEWB0AAoJEIP+FMlX6CvZYhUH+wVPIAAfKPp5p5TYvY90nAbR O427AbXKDD0Gval78ygQSIiQIrmP0l5MZdx/FsXfw5cXyNHWJDHrwzA9jXzfYeor boFvYCjdgyeh6cBM7BR2OFgoB+v3KmMSZOSDfH87SYzZTpK1+2ImDgsoaI5cqUMN x92bXzqohZhcG/5PBhdVaEdj3KTGCHZYwjieUdi5BbWsQry9Rzd7nV6TsRHAaBkW +9s3XxtobMNMJyr2t7ZKO1YwfLSprpfFcZk4zfdLLFMBvvPoF7V+Pi3PJ+8S38QN YcyhPoLgoTqSKZ7buyMux9JwSzn8yi4ETMHMTc3VGFQZQwnlNeMWVEUG2CiYVn8=H0Nc -----END PGP SIGNATURE-----
Kurt Seifried
2012-Jul-27 08:10 UTC
Re: Xen Security Advisory 10 - HVM guest user mode MMIO emulation DoS
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/26/2012 09:30 AM, Xen.org security team wrote:> > Xen Security Advisory XSA-10 > > HVM guest user mode MMIO emulation DoS vulnerability > > ISSUE DESCRIPTION ================> > Internal data of the emulator for MMIO operations may, under > certain rare conditions, at the end of one emulation cycle be left > in a state affecting a subsequent emulation such that this second > emulation would fail, causing an exception to be reported to the > guest kernel where none is expected. > > IMPACT =====> > Guest mode unprivileged (user) code, which has been granted the > privilege to access MMIO regions, may leverage that access to crash > the whole guest. > > VULNERABLE SYSTEMS =================> > All HVM guests exposing MMIO ranges to unprivileged (user) mode. > > All versions of Xen which support HVM guests are vulnerable to this > issue. > > MITIGATION =========> > This issue can be mitigated by running PV (para-virtualised) guests > only, or by ensuring (inside the guest) that MMIO regions can be > accessed only by trustworthy processes. > > RESOLUTION =========> > Applying the appropriate attached patch will resolve the issue. > > NOTE REGARDING CVE =================> > We do not yet have a CVE Candidate number for this vulnerability. > > PATCH INFORMATION ================> > The attached patches resolve this issue > > $ sha256sum xsa10-*.patch > f96b7849194901d7f663895f88c2ca4f4721559f1c1fe13bba515336437ab912 > xsa10-4.x.patch > fb9dead017dfea99ad3e8d928582e67160c76518b7fe207d9a3324811baf06dd > xsa10-unstable.patchPlease use CVE-2012-3432 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQEkzcAAoJEBYNRVNeJnmTBi8QANKeCCOiniLKp5+1LvYXr3rE uV9UijoVTBu6WNtB2L9NXRrenHBvGv38+tmVVg7pCqHkU9nrzhmg4zc8qZY8LJ/V /ZnYuVoWZ/hG+KNi8/NQIiDAiDu4Ip9NnMSW9SdYPVEFSQN4JCQufYOxjCGNzOj1 QidDoyb7i63UAFXj4nvdFmJKVYSvegI+H46vGVkQabBdZ2LXuCHYCw54ZZ0nFqKj LU3t/468DmBn1Gk2EUdufV/NWxWpD33pjwTkMFbYH/C5cSHUMx6UUkD48EWu0YAs MxjigqXHKiXEPsoyfULppRTaxE969MsWDhrjrptymZjasmcXl+v/opmVYT9DJ1gF pAHU0o862p1gcdhBuk/n2DB8HFSk5MJbytDz0KzxgEDrqhFO4AIeAVq6//wXPnym nxNTY/6MQazc+S+coiNvBAtr1sT6CWgHsd0DLLQh/PQZ1DVDKRfufd9LfI7PdPFH gjHp81MArk39vFM5vT01Ac0aG4pj8kTwpTHwt84VL05hj6R/GcB56/526fmmgnan 6KlwufXZkZjP6lteIeidK9NVOhRId5VEL0EguQAc5z8cavl6oD1P+AaECZct+h5r jMHxeQSf0ggQL6zRGBOU6Dlt2+Cg4FjRpWO8iGe0PlZb+XTFUsPk8/OWEKHa2Rlp tXhMnEfhzvKZLMg53D+S =qRMf -----END PGP SIGNATURE-----