ISSUE DESCRIPTION ================= x86 HVM guests running with shadow paging use a subset of the x86 emulator to handle the guest writing to its own pagetables. There are situations a guest can provoke which result in exceeding the space allocated for internal state. IMPACT ====== A malicious HVM guest administrator can cause Xen to fail a bug check, causing a denial of service to the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. The vulnerability is only exposed to HVM guests on x86 hardware, which are configured to run with shadow paging. The vulnerability is not exposed to x86 PV guests, x86 HVM guests running with hardware assisted paging, or ARM guests. x86 HVM guests run in HAP mode by default on modern CPUs. To discover whether your HVM guests are using HAP, or shadow page tables: request debug key `q' (from the Xen console, or with `xl debug-keys q'). This will print (to the console, and visible in `xl dmesg'), debug information for every domain, containing something like this: (XEN) General information for domain 2: (XEN) refcnt=1 dying=2 pause_count=2 (XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400 (XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000 (XEN) paging assistance: hap refcounts translate external ^^^ The presence of `hap' here indicates that the host is not vulnerable to this domain. For an HVM domain the presence of `shadow' indicates that the domain can exploit the vulnerability. MITIGATION ========== Running only PV guests will avoid this vulnerability. On hardware which supports Hardware Assisted Paging, configuring the guests to not run with shadow paging will avoid this vulnerability. RESOLUTION ========== Applying the first patch will resolve this issue. The second patch provides additional assurance that the vulnerability is truly eliminated and that there are no related problems. If hotpatching, applying only the first patch is recommended since the second patch is awkward for hotpatching. If deploying new builds, applying both patches is recommended. Xen version First patch Second patch xen-unstable: xsa187-0001-*.patch xsa187-0002-*.patch Xen 4.7.x: xsa187-4.7-0001-*.patch xsa187-4.7-0002-*.patch Xen 4.6.x: xsa187-4.7-0001-*.patch xsa187-4.6-0002-*.patch Xen 4.5.x: xsa187-4.7-0001-*.patch xsa187-4.6-0002-*.patch Xen 4.4.x: xsa187-4.7-0001-*.patch xsa187-4.4-0002-*.patch $ sha256sum xsa187* c0c506c1a7c8113a8148a6e32c85ba16b924cbc277a74fec0c0609740e236b51 xsa187-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch be130a1ed3be2be9bff47ba2037716a0845c253d859bf7fef4e5099b44b24e03 xsa187-0002-x86-segment-Bounds-check-accesses-to-emulation-ctxt-.patch 424d5aafb5353ba526b3afa9337470bef60b3c4a207432da540d760b1060b7c0 xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch 66293fc729f881195d8cc54c90e909cd344f0f396227f84091dd324b266c28e1 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch f7c7a34de629e1a994701ab1a75f5d6b13b20d5c487855d4db19c8fc83cd46ac xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch 3c968ad9806af8bd94579afebe48cbad60b8fc94826d8c6c2b65bfde56d79e3c xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch $
Created attachment 1194181 [details] xsa187 patchset
Xen Security Advisory CVE-2016-7094 / XSA-187 version 2 UPDATES IN VERSION 2 ==================== CVE assigned.
External References: https://xenbits.xen.org/xsa/advisory-187.html
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1374473]
Acknowledgements: Name: the Xen project Upstream: Andrew Cooper (Citrix)
xen-4.6.3-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.7.0-5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.