Bug 1203732 (CVE-2015-2752, xsa125) - CVE-2015-2752 xen: long latency MMIO mapping operations are not preemptible (xsa125)
Summary: CVE-2015-2752 xen: long latency MMIO mapping operations are not preemptible (...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-2752, xsa125
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1207741
Blocks: 1203734
TreeView+ depends on / blocked
 
Reported: 2015-03-19 14:49 UTC by Vasyl Kaigorodov
Modified: 2023-05-12 21:04 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-31 15:27:42 UTC
Embargoed:


Attachments (Terms of Use)
xsa125.patch (5.42 KB, text/plain)
2015-03-19 14:54 UTC, Vasyl Kaigorodov
no flags Details
xsa125-4.x.patch (5.44 KB, text/plain)
2015-03-19 14:54 UTC, Vasyl Kaigorodov
no flags Details
xsa125-4.2.patch (5.15 KB, text/plain)
2015-03-31 16:28 UTC, Vasyl Kaigorodov
no flags Details
xsa125-4.3.patch (5.13 KB, text/plain)
2015-03-31 16:28 UTC, Vasyl Kaigorodov
no flags Details
xsa125-4.4.patch (5.44 KB, text/plain)
2015-03-31 16:28 UTC, Vasyl Kaigorodov
no flags Details
xsa125.patch (5.42 KB, text/plain)
2015-03-31 16:28 UTC, Vasyl Kaigorodov
no flags Details

Description Vasyl Kaigorodov 2015-03-19 14:49:19 UTC
ISSUE DESCRIPTION
=================

The XEN_DOMCTL_memory_mapping hypercall allows long running operations
without implementing preemption.

This hypercall is used by the device model as part of the emulation
associated with configuration of PCI devices passed through to HVM
guests and is therefore indirectly exposed to those guests.

This can cause a physical CPU to become busy for a significant period,
leading to a host denial of service in some cases.

If a host denial of service is not triggered then it may instead be
possible to deny service to the domain running the device model,
e.g. domain 0.

This hypercall is also exposed more generally to all
toolstacks. However the uses of it in libxl based toolstacks are not
believed to open up any avenue of attack from an untrusted
guest. Other toolstacks may be vulnerable however.

IMPACT
======

The vulnerability is exposed via HVM guests which have a PCI device
assigned to them. A malicious HVM guest in such a configuration can
mount a denial of service attack affecting the whole system via its
associated device model (qemu-dm).

A guest is able to trigger this hypercall via operations which it is
legitimately expected to perform, therefore running the device model
as a stub domain does not offer protection against the host denial of
service issue. However it does offer some protection against secondary
issues such as denial of service against dom0.

VULNERABLE SYSTEMS
==================

The issue is exposed via x86 HVM VMs which have been assigned a PCI
device.

x86 PV domains, x86 HVM domains without passthrough devices and ARM
domains do not expose this vulnerability.

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

MITIGATION
==========

Running only PV guests will avoid this issue.

This issue can be avoided by not assigning devices with large MMIO
regions to untrusted HVM guests.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Comment 1 Vasyl Kaigorodov 2015-03-19 14:54:26 UTC
Created attachment 1003859 [details]
xsa125.patch

Comment 2 Vasyl Kaigorodov 2015-03-19 14:54:57 UTC
Created attachment 1003861 [details]
xsa125-4.x.patch

Comment 3 Petr Matousek 2015-03-31 15:19:42 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1207741]

Comment 4 Petr Matousek 2015-03-31 15:20:10 UTC
References:

http://www.openwall.com/lists/oss-security/2015/03/31/5

Comment 5 Petr Matousek 2015-03-31 15:22:22 UTC
Acknowledgements:

Red Hat would like to thank the Xen for reporting this issue.

Comment 6 Petr Matousek 2015-03-31 15:27:42 UTC
Statement:

This issue dos affect the kernel-xen packages as shipped with Red Hat Enterprise Linux 5.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 7 Vasyl Kaigorodov 2015-03-31 16:28:41 UTC
Created attachment 1009170 [details]
xsa125-4.2.patch

Comment 8 Vasyl Kaigorodov 2015-03-31 16:28:44 UTC
Created attachment 1009171 [details]
xsa125-4.3.patch

Comment 9 Vasyl Kaigorodov 2015-03-31 16:28:47 UTC
Created attachment 1009172 [details]
xsa125-4.4.patch

Comment 10 Vasyl Kaigorodov 2015-03-31 16:28:51 UTC
Created attachment 1009173 [details]
xsa125.patch

Comment 11 Vasyl Kaigorodov 2015-03-31 16:29:13 UTC
The supplied xsa125-4.x.patch did not apply cleanly to Xen 4.3.x or
4.2.x possibly resulting in a source tree which did not build.

Separate patches are now supplied for 4.3.x and 4.2.x.


Note You need to log in before you can comment on or make changes to this bug.