Xen project Mailing List

Re: [Xen-devel] Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough

To: "Xen.org security team" <security@xxxxxxx>

From: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>

Date: Wed, 24 Jul 2013 09:58:52 -0400

Cc: xen-users@xxxxxxxxxxxxx, xen-announce@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx

Delivery-date: Wed, 24 Jul 2013 13:59:32 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Wed, Jul 24, 2013 at 11:36:55AM +0000, Xen.org security team wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Xen Security Advisory CVE-2013-2212 / XSA-60 > version 4 > > Excessive time to disable caching with HVM guests with PCI passthrough > > UPDATES IN VERSION 4 > ==================== > > Public release. > > ISSUE DESCRIPTION > ================= > > HVM guests are able to manipulate their physical address space such that > processing a subsequent request by that guest to disable caches takes an > extended amount of time changing the cachability of the memory pages assigned > to this guest. This applies only when the guest has been granted access to > some memory mapped I/O region (typically by way of assigning a passthrough > PCI device). > > This can cause the CPU which processes the request to become unavailable, > possibly causing the hypervisor or a guest kernel (including the domain 0 one) > to halt itself ("panic"). > > For reference, as long as no patch implementing an approved alternative > solution is available (there's only a draft violating certain requirements > set by Intel's documentation), the problematic code is the function > vmx_set_uc_mode() (in that it calls ept_change_entry_emt_with_range() with > the full guest GFN range, which the guest has control over, but which also > would be a problem with sufficiently large but not malicious guests). > > IMPACT > ====== > > A malicious domain, given access to a device with memory mapped I/O > regions, can cause the host to become unresponsive for a period of > time, potentially leading to a DoS affecting the whole system. > > VULNERABLE SYSTEMS > ================== > > Xen version 3.3 onwards is vulnerable. > > Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are > vulnerable. > > MITIGATION > ========== > > This issue can be avoided by not assigning PCI devices to untrusted guests, or > by running HVM guests with shadow mode paging (through adding "hap=0" to the > domain configuration file). > > CREDITS > ======= > > Konrad Wilk found the issue as a bug, which on examination by the It was: Zhenzhong Duan > Xenproject.org Security Team turned out to be a security problem. > > RESOLUTION > ========== > > There is currently no resolution to this issue. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQEcBAEBAgAGBQJR77wrAAoJEIP+FMlX6CvZB5MH/ibfpjHuoGOIo7mWukld4NM5 > UVIKC+rTrnkYhbF2f+xIM833+WAUjPuXZKZ6/EirDAPAAQCut2DouNvVdVnZ5cBx > rq0N8l9wy0/dq/7kCyI3kAGFlJ3VYz7aM5+TTPFGfO7Yq3ohUNu2EE4vv/t5KVjD > H4reh8UaA5QuRbdh3evCM9Vdt2syqi8JQwB5D2CJqrgAuFPwEVle8MLKSXWWb/+V > KUy+mRAb1tN3jbWIev0TZ7Hm3x61yO60/WFzsQzkmkd+qWvC5btkWDg05K5DHC+Q > yvFU3Y5u7J/ub00ZO4e9wjNDG5+ItQUK4xp8y5s65qx27P/eK9VLi8dvnHVMk04= > =HUbY > -----END PGP SIGNATURE----- _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.