ISSUE DESCRIPTION ================= VMIDs are a finite hardware resource, and allocated as part of domain creation. If no free VMIDs are available when trying to create a new domain, a bug in the error path causes a NULL pointer to be used, resulting in a Data Abort and host crash. IMPACT ====== Attempting to create too many concurrent domains causes a host crash rather than a graceful error. A malicious device driver domain can hold references to domains, preventing its VMID being released. VULNERABLE SYSTEMS ================== Xen versions 4.4 and later are affected. Older Xen versions are unaffected. x86 systems are not affected. Only arm systems with less-privileged device driver domains can expose this vulnerability. MITIGATION ========== There is no mitigation. Not using driver domains reclassifies the problem, but does not fix it. NOTE REGARDING LACK OF EMBARGO ============================== The crash was discussed publicly on xen-devel, before it was appreciated that there was a security problem. CREDITS ======= This issue was discovered by Aaron Cornelius of DornerWorks. External References: http://xenbits.xen.org/xsa/advisory-181.html Acknowledgements: Name: the Xen project Upstream: Aaron Cornelius (DornerWorks)
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1342530]
xen-4.5.3-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.6.1-11.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.