Bug 1272519 (CVE-2015-7969, xsa149, xsa151)

Summary: CVE-2015-7969 xen: leak of main per-domain vcpu pointer array
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, drjones, imammedo, knoel, mrezanin, pbonzini, rkrcmar, security-response-team, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-07 10:00:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1276344    
Bug Blocks: 1272534    
Attachments:
Description Flags
Upstream patch none

Description Adam Mariš 2015-10-16 15:46:08 UTC 
A domain's primary array of vcpu pointers can be allocated by a toolstack exactly once in the lifetime of a domain via the XEN_DOMCTL_max_vcpus hypercall. This array is leaked on domain teardown. This memory leak could over time exhaust the host's memory.

A domain given partial management control via XEN_DOMCTL_max_vcpus can mount a denial of service attack affecting the whole system. The ability to also restart or create suitable domains is also required to fully exploit the issue. Without this the leak is limited to a small multiple of the maximum number of vcpus for the domain. The maximum leak is 64kbytes per domain (re)boot (less on ARM).

This issue is only relevant to systems which intend to increase security through the use of advanced disaggregated management techniques. This does not include systems using libxl, libvirt, or OpenStack (unless substantially modified or supplemented, as compared to versions supplied by the respective upstreams). Versions of Xen from 4.0 onwards are vulnerable. All architectures are affected.

Mitigation:

The leak is small. Preventing the creation of large numbers of new domains, and limiting the number of times an existing domain can be rebooted, can reduce the impact of this vulnerability. Switching from disaggregated to a non-disaggregated operation does NOT mitigate the XEN_DOMCTL_max_vcpus vulnerability. Rather, it simply recategorises the vulnerability to hostile management code, regarding it "as designed"; thus it merely reclassifies these issues as "not a bug". Users and vendors of disaggregated systems should not change their configuration.
Comment 1 Adam Mariš 2015-10-16 15:47:03 UTC 
Created attachment 1083748 [details]
Upstream patch
Comment 2 Martin Prpič 2015-10-29 13:35:43 UTC 
External References:

http://xenbits.xen.org/xsa/advisory-149.html
http://xenbits.xen.org/xsa/advisory-151.html
Comment 3 Martin Prpič 2015-10-29 13:46:47 UTC 
*** Bug 1272522 has been marked as a duplicate of this bug. ***
Comment 4 Martin Prpič 2015-10-29 13:48:12 UTC 
This CVE also covers the same issue in XSA 151:

ISSUE DESCRIPTION
=================

A domain's xenoprofile state contains an array of per-vcpu
information, which is allocated once in the lifetime of a domain in
response to that domain using the XENOPROF_get_buffer hypercall on
itself or by a domain with the privilege to profile a target domain
using the XENOPROF_set_passive hypercall.

This array is leaked on domain teardown.  This memory leak could --
over time -- exhaust the host's memory.

IMPACT
======

The following parties can mount a denial of service attack affecting
the whole system:

  - A malicious guest administrator via XENOPROF_get_buffer.
  - A domain given suitable privilege over another domain
    via XENOPROF_set_passive (this would usually be a domain being
    used to profile another domain, eg with the xenoprof tool).

The ability to also restart or create suitable domains is also
required to fully exploit the issue.  Without this the leak is limited
to a small multiple of the maximum number of vcpus for the domain.

The maximum leak is 128kbytes per domain (re)boot.

VULNERABLE SYSTEMS
==================

Versions of Xen from 4.0 onwards are vulnerable.

The XENOPROF hypercalls are only implemented on x86.  ARM is therefore
not vulnerable.

MITIGATION
==========

On systems where the guest kernel is controlled by the host rather
than guest administrator, running only kernels (in the target and
profiling domain respectively) which do not call these hypercalls will
also prevent untrusted guest users from exploiting this issue. However
untrusted guest administrators can still trigger it unless further
steps are taken to prevent them from loading code into the kernel
(e.g. by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.

The leak is small.  Preventing the creation of large numbers of new
domains, and limiting the number of times an existing domain can be
rebooted, can reduce the impact of this vulnerability.

NOTE REGARDING CVE
==================

Note that CVE-2015-7969 covers both this issue and XSA-149.
Comment 5 Martin Prpič 2015-10-29 13:51:02 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1276344]
Comment 6 Fedora Update System 2015-11-08 22:20:38 UTC 
xen-4.5.1-14.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-11-10 00:21:53 UTC 
xen-4.5.1-14.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-11-10 00:50:02 UTC 
xen-4.4.3-7.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.