Bug 843582 (CVE-2012-3433)

Summary: CVE-2012-3433 kernel: xen: HVM guest destroy p2m teardown host DoS vulnerability
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agordeev, anton, dhoward, drjones, imammedo, lersek, lwang, pbonzini, plougher, security-response-team, sforsber, tburke, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20120809,reported=20120726,source=upstream,cvss2=5.5/AV:A/AC:L/Au:S/C:N/I:N/A:C,rhel-5/kernel=notaffected,rhel-6/kernel=notaffected,mrg-2/realtime-kernel=notaffected,rhel-5/kernel-xen=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-27 04:29:14 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 843584    

Description Petr Matousek 2012-07-26 13:01:28 EDT
Description of the problem:

An HVM guest is able to manipulate its physical address space such
that tearing down the guest takes an extended period amount of
time searching for shared pages.

This causes the domain 0 VCPU which tears down the domain to be
blocked in the destroy hypercall. This causes that domain 0 VCPU to
become unavailable and may cause the domain 0 kernel to panic.

There is no requirement for memory sharing to be in use.

A privileged user in HVM guest can cause the host to become
unresponsive for a period of time, potentially leading to a DoS. PV
guests are not affected.

This vulnerability affects only Xen 4.0 and 4.1. Xen 3.4 and earlier
and xen-unstable are not vulnerable.

Acknowledgements:

Red Hat would like to thank the Xen for reporting this issue.
Comment 2 Paolo Bonzini 2012-07-27 04:15:20 EDT
Petr, this doesn't seem to affect RHEL.  None of the patched code is part of RHEL (we never really backported anything in this area after 5.3/5.4, and those corresponded roughly to Xen 3.2 -> 3.4).
Comment 3 Petr Matousek 2012-07-27 05:28:02 EDT
(In reply to comment #2)
> Petr, this doesn't seem to affect RHEL.  None of the patched code is part of
> RHEL (we never really backported anything in this area after 5.3/5.4, and
> those corresponded roughly to Xen 3.2 -> 3.4).

You are right, thank you for having a look.
Comment 4 Petr Matousek 2012-07-27 05:36:47 EDT
Statement:

Not vulnerable.

The versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6,
and Red Hat Enterprise MRG are not affected. 

The versions of the kernel-xen packages as shipped with Red Hat Enterprise Linux 5 are not affected because we did not provide support for memory sharing functionality.