Bug 1272529 (CVE-2015-7970, xsa150) - CVE-2015-7970 xen: Long latency populate-on-demand operation is not preemptible on x86
Summary: CVE-2015-7970 xen: Long latency populate-on-demand operation is not preemptib...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-7970, xsa150
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1276344
Blocks: 1272534
TreeView+ depends on / blocked
 
Reported: 2015-10-16 16:07 UTC by Adam Mariš
Modified: 2019-09-29 13:38 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-07 10:05:53 UTC


Attachments (Terms of Use)

Description Adam Mariš 2015-10-16 16:07:21 UTC
When running an HVM domain in Populate-on-Demand mode, Xen would sometimes search the domain for memory to reclaim, in response to demands for population of other pages in the same domain. This search runs without preemption. The guest can, by suitable arrangement of its memory contents, create a situation where this search is a time-consuming linear scan of the guest's address space. The scan might be triggered by the guest's own actions, or by toolstack operations such as migration.

A malicious administrator of a suitable guest can cause a denial of service. Specifically, such a guest can prevent use of a physical CPU for a significant period. If the host watchdog is in use, this can lead to a watchdog timeout and consequently a host reboot (for example).

The vulnerability is exposed to any HVM guest which has been constructed in Populate-on-Demand mode (ie, with memory < maxmem). Such a configuration is usual when the host administrator intends to oversubscribe system RAM. ARM is not vulnerable. x86 PV VMs are not vulnerable. x86 HVM domains without PoD (ie started with memory==maxmem) are not vulnerable.

Mitigation:

Running only PV guests will avoid this issue. Running HVM guest without enabling Populate-on-Demand mode (so, ensuring that maxmem==memory) will avoid this issue.

Comment 3 Martin Prpič 2015-10-29 13:36:22 UTC
External References:

http://xenbits.xen.org/xsa/advisory-150.html

Comment 4 Martin Prpič 2015-10-29 13:51:08 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1276344]

Comment 5 Fedora Update System 2015-11-08 22:20:45 UTC
xen-4.5.1-14.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2015-11-10 00:21:59 UTC
xen-4.5.1-14.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-11-10 00:50:06 UTC
xen-4.4.3-7.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.