Bug 1272529 (CVE-2015-7970, xsa150)

Summary: CVE-2015-7970 xen: Long latency populate-on-demand operation is not preemptible on x86
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, drjones, imammedo, knoel, mrezanin, pbonzini, rkrcmar, security-response-team, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-07 10:05:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1276344    
Bug Blocks: 1272534    

Description Adam Mariš 2015-10-16 16:07:21 UTC 
When running an HVM domain in Populate-on-Demand mode, Xen would sometimes search the domain for memory to reclaim, in response to demands for population of other pages in the same domain. This search runs without preemption. The guest can, by suitable arrangement of its memory contents, create a situation where this search is a time-consuming linear scan of the guest's address space. The scan might be triggered by the guest's own actions, or by toolstack operations such as migration.

A malicious administrator of a suitable guest can cause a denial of service. Specifically, such a guest can prevent use of a physical CPU for a significant period. If the host watchdog is in use, this can lead to a watchdog timeout and consequently a host reboot (for example).

The vulnerability is exposed to any HVM guest which has been constructed in Populate-on-Demand mode (ie, with memory < maxmem). Such a configuration is usual when the host administrator intends to oversubscribe system RAM. ARM is not vulnerable. x86 PV VMs are not vulnerable. x86 HVM domains without PoD (ie started with memory==maxmem) are not vulnerable.

Mitigation:

Running only PV guests will avoid this issue. Running HVM guest without enabling Populate-on-Demand mode (so, ensuring that maxmem==memory) will avoid this issue.
Comment 3 Martin Prpič 2015-10-29 13:36:22 UTC 
External References:

http://xenbits.xen.org/xsa/advisory-150.html
Comment 4 Martin Prpič 2015-10-29 13:51:08 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1276344]
Comment 5 Fedora Update System 2015-11-08 22:20:45 UTC 
xen-4.5.1-14.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-11-10 00:21:59 UTC 
xen-4.5.1-14.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-11-10 00:50:06 UTC 
xen-4.4.3-7.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.