thr3ads.net - Xen users - Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough [Jul 2013]

If this information is useful, please help other people find it:
Share via:

Xen.org security team

2013-Jul-24 11:36 UTC

Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-2212 / XSA-60
                             version 4

   Excessive time to disable caching with HVM guests with PCI passthrough

UPDATES IN VERSION 4
===================
Public release.

ISSUE DESCRIPTION
================
HVM guests are able to manipulate their physical address space such that
processing a subsequent request by that guest to disable caches takes an
extended amount of time changing the cachability of the memory pages assigned
to this guest. This applies only when the guest has been granted access to
some memory mapped I/O region (typically by way of assigning a passthrough
PCI device).

This can cause the CPU which processes the request to become unavailable,
possibly causing the hypervisor or a guest kernel (including the domain 0 one)
to halt itself ("panic").

For reference, as long as no patch implementing an approved alternative
solution is available (there''s only a draft violating certain
requirements
set by Intel''s documentation), the problematic code is the function
vmx_set_uc_mode() (in that it calls ept_change_entry_emt_with_range() with
the full guest GFN range, which the guest has control over, but which also
would be a problem with sufficiently large but not malicious guests).

IMPACT
=====
A malicious domain, given access to a device with memory mapped I/O
regions, can cause the host to become unresponsive for a period of
time, potentially leading to a DoS affecting the whole system.

VULNERABLE SYSTEMS
=================
Xen version 3.3 onwards is vulnerable.

Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are
vulnerable.

MITIGATION
=========
This issue can be avoided by not assigning PCI devices to untrusted guests, or
by running HVM guests with shadow mode paging (through adding "hap=0"
to the
domain configuration file).

CREDITS
======
Konrad Wilk found the issue as a bug, which on examination by the
Xenproject.org Security Team turned out to be a security problem.

RESOLUTION
=========
There is currently no resolution to this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJR77wrAAoJEIP+FMlX6CvZB5MH/ibfpjHuoGOIo7mWukld4NM5
UVIKC+rTrnkYhbF2f+xIM833+WAUjPuXZKZ6/EirDAPAAQCut2DouNvVdVnZ5cBx
rq0N8l9wy0/dq/7kCyI3kAGFlJ3VYz7aM5+TTPFGfO7Yq3ohUNu2EE4vv/t5KVjD
H4reh8UaA5QuRbdh3evCM9Vdt2syqi8JQwB5D2CJqrgAuFPwEVle8MLKSXWWb/+V
KUy+mRAb1tN3jbWIev0TZ7Hm3x61yO60/WFzsQzkmkd+qWvC5btkWDg05K5DHC+Q
yvFU3Y5u7J/ub00ZO4e9wjNDG5+ItQUK4xp8y5s65qx27P/eK9VLi8dvnHVMk04=HUbY
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

Konrad Rzeszutek Wilk

2013-Jul-24 13:58 UTC

head link

Re: Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough

On Wed, Jul 24, 2013 at 11:36:55AM +0000, Xen.org security team
wrote:> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>              Xen Security Advisory CVE-2013-2212 / XSA-60
>                              version 4
> 
>    Excessive time to disable caching with HVM guests with PCI passthrough
> 
> UPDATES IN VERSION 4
> ===================> 
> Public release.
> 
> ISSUE DESCRIPTION
> ================> 
> HVM guests are able to manipulate their physical address space such that
> processing a subsequent request by that guest to disable caches takes an
> extended amount of time changing the cachability of the memory pages
assigned
> to this guest. This applies only when the guest has been granted access to
> some memory mapped I/O region (typically by way of assigning a passthrough
> PCI device).
> 
> This can cause the CPU which processes the request to become unavailable,
> possibly causing the hypervisor or a guest kernel (including the domain 0
one)
> to halt itself ("panic").
> 
> For reference, as long as no patch implementing an approved alternative
> solution is available (there''s only a draft violating certain
requirements
> set by Intel''s documentation), the problematic code is the
function
> vmx_set_uc_mode() (in that it calls ept_change_entry_emt_with_range() with
> the full guest GFN range, which the guest has control over, but which also
> would be a problem with sufficiently large but not malicious guests).
> 
> IMPACT
> =====> 
> A malicious domain, given access to a device with memory mapped I/O
> regions, can cause the host to become unresponsive for a period of
> time, potentially leading to a DoS affecting the whole system.
> 
> VULNERABLE SYSTEMS
> =================> 
> Xen version 3.3 onwards is vulnerable.
> 
> Only systems using the Intel variant of Hardware Assisted Paging (aka EPT)
are
> vulnerable.
> 
> MITIGATION
> =========> 
> This issue can be avoided by not assigning PCI devices to untrusted guests,
or
> by running HVM guests with shadow mode paging (through adding
"hap=0" to the
> domain configuration file).
> 
> CREDITS
> ======> 
> Konrad Wilk found the issue as a bug, which on examination by the
It was:
Zhenzhong Duan
> Xenproject.org Security Team turned out to be a security problem.
> 
> RESOLUTION
> =========> 
> There is currently no resolution to this issue.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iQEcBAEBAgAGBQJR77wrAAoJEIP+FMlX6CvZB5MH/ibfpjHuoGOIo7mWukld4NM5
> UVIKC+rTrnkYhbF2f+xIM833+WAUjPuXZKZ6/EirDAPAAQCut2DouNvVdVnZ5cBx
> rq0N8l9wy0/dq/7kCyI3kAGFlJ3VYz7aM5+TTPFGfO7Yq3ohUNu2EE4vv/t5KVjD
> H4reh8UaA5QuRbdh3evCM9Vdt2syqi8JQwB5D2CJqrgAuFPwEVle8MLKSXWWb/+V
> KUy+mRAb1tN3jbWIev0TZ7Hm3x61yO60/WFzsQzkmkd+qWvC5btkWDg05K5DHC+Q
> yvFU3Y5u7J/ub00ZO4e9wjNDG5+ItQUK4xp8y5s65qx27P/eK9VLi8dvnHVMk04> =HUbY
> -----END PGP SIGNATURE-----

Xen.org security team

2013-Jul-24 14:00 UTC

head link

Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-2212 / XSA-60
                             version 5

   Excessive time to disable caching with HVM guests with PCI passthrough

UPDATES IN VERSION 5
===================
Corrected credit.

ISSUE DESCRIPTION
================
HVM guests are able to manipulate their physical address space such that
processing a subsequent request by that guest to disable caches takes an
extended amount of time changing the cachability of the memory pages assigned
to this guest. This applies only when the guest has been granted access to
some memory mapped I/O region (typically by way of assigning a passthrough
PCI device).

This can cause the CPU which processes the request to become unavailable,
possibly causing the hypervisor or a guest kernel (including the domain 0 one)
to halt itself ("panic").

For reference, as long as no patch implementing an approved alternative
solution is available (there''s only a draft violating certain
requirements
set by Intel''s documentation), the problematic code is the function
vmx_set_uc_mode() (in that it calls ept_change_entry_emt_with_range() with
the full guest GFN range, which the guest has control over, but which also
would be a problem with sufficiently large but not malicious guests).

IMPACT
=====
A malicious domain, given access to a device with memory mapped I/O
regions, can cause the host to become unresponsive for a period of
time, potentially leading to a DoS affecting the whole system.

VULNERABLE SYSTEMS
=================
Xen version 3.3 onwards is vulnerable.

Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are
vulnerable.

MITIGATION
=========
This issue can be avoided by not assigning PCI devices to untrusted guests, or
by running HVM guests with shadow mode paging (through adding "hap=0"
to the
domain configuration file).

CREDITS
======
Zhenzhong Duan found the issue as a bug, which on examination by the
Xenproject.org Security Team turned out to be a security problem.

RESOLUTION
=========
There is currently no resolution to this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJR7932AAoJEIP+FMlX6CvZ8pUIAJFFqtelnwQ58gEM3XYmbBdo
FXF9xPiykqCbRzSfbVohmSj3vmORUsI22m8kk1fsJmSayJr9P8nJaYLqdr4/tcMf
gqDLqBFWiOf+O48ULFaPf7eDBnVUzYQXBAcEEkfInjenvYgclTmdMQUbFGCtr+/O
6BI8Y0NU6K5Nawu7n3VZK7j6D7VniwyNnIfgApK+k2PLdb9r9m4GQdQVulYOSw8h
8H49C3D6c1L6m63he6c3NiyjfLZbFZbcqZuJPMMM5IR/J025Om6Kxyxcmx4wCCog
nnyOPjCalPe9zOdsQlOEbrvH/UV/4U1EzkiWR2hRLbOS9bFJ2YweQxhvn7k/TVk=rRXP
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

Xen users - Jul 2013 - Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough

Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough

Re: Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough

Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough