When running an HVM domain in Populate-on-Demand mode, Xen would sometimes search the domain for memory to reclaim, in response to demands for population of other pages in the same domain. This search runs without preemption. The guest can, by suitable arrangement of its memory contents, create a situation where this search is a time-consuming linear scan of the guest's address space. The scan might be triggered by the guest's own actions, or by toolstack operations such as migration.
A malicious administrator of a suitable guest can cause a denial of service. Specifically, such a guest can prevent use of a physical CPU for a significant period. If the host watchdog is in use, this can lead to a watchdog timeout and consequently a host reboot (for example).
The vulnerability is exposed to any HVM guest which has been constructed in Populate-on-Demand mode (ie, with memory < maxmem). Such a configuration is usual when the host administrator intends to oversubscribe system RAM. ARM is not vulnerable. x86 PV VMs are not vulnerable. x86 HVM domains without PoD (ie started with memory==maxmem) are not vulnerable.
Running only PV guests will avoid this issue. Running HVM guest without enabling Populate-on-Demand mode (so, ensuring that maxmem==memory) will avoid this issue.
Created xen tracking bugs for this issue:
Affects: fedora-all [bug 1276344]
xen-4.5.1-14.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.5.1-14.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.4.3-7.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.