Bug 1528602 (CVE-2018-5244, xsa253)

Summary: CVE-2018-5244 xen: memory leak with MSR emulation (XSA-253)
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, drjones, imammedo, jforbes, knoel, m.a.young, mrezanin, pbonzini, rkrcmar, robinlee.sysu, security-response-team, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:34:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1531110    
Bug Blocks:    

Description Andrej Nemec 2017-12-22 10:57:47 UTC 
ISSUE DESCRIPTION
=================

In Xen 4.10, new infrastructure was introduced as part of an overhaul to
how MSR emulation happens for guests.  Unfortunately, one tracking
structure isn't freed when a vcpu is destroyed.

IMPACT
======

A memory allocation of 8 bytes is leaked each time a vcpu is destroyed.

A malicious guest may, by frequently rebooting over extended periods of
time, run the system out of memory, resulting in a Denial of Service
(DoS).

VULNERABLE SYSTEMS
==================

Xen versions 4.10 and later are affected.  Xen 4.9 and earlier are not
affected.

Only x86 systems are affected.  ARM systems are not.

All guest kinds can exploit this vulnerability.

MITIGATION
==========

Limiting the frequency with which a guest is able to reboot, will
limit the memory leak.

Rebooting each host (after migrating its guests) periodically will
reclaim the leaked space.
Comment 2 Andrej Nemec 2018-01-04 15:32:40 UTC 
Public via:

http://seclists.org/oss-sec/2018/q1/4
Comment 3 Andrej Nemec 2018-01-04 15:33:09 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1531110]
Comment 4 Adam Mariš 2018-01-08 11:01:11 UTC 
Acknowledgments:

Name: the Xen project
Upstream: Andrew Cooper (Citrix)