Date: Fri, 01 Nov 2013 15:25:45 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 73 - Lock order reversal between page allocation and grant table locks -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-73 version 2 Lock order reversal between page allocation and grant table locks UPDATES IN VERSION 2 ==================== Corrected typo in xsa73-4.1.patch. The other patches were already correct. NOTE REGARDING LACK OF EMBARGO ============================== While the response to this issue was being prepared by the security team, the bug was independently discovered by a third party who publicly disclosed it without realising the security impact. ISSUE DESCRIPTION ================= The locks page_alloc_lock and grant_table.lock are not always taken in the same order. This opens the possibility of deadlock. IMPACT ====== A malicious guest administrator can deny service to the entire host. VULNERABLE SYSTEMS ================== Xen versions going back to at least Xen 3.2 are vulnerable. To exploit the vulnerability, the attacker must have control of more than one vcpu, either by controlling a malicious multi-vcpu guest, or by controlling more than one guest. MITIGATION ========== There is no practical mitigation for this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa73-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa73-4.2.patch Xen 4.2.x xsa73-4.1.patch Xen 4.1.x $ sha256sum xsa73*.patch c9284e2c12b1c4f8c63d11b8802b4f408e6623f857f120b04e47840f433e4823 xsa73-4.1.patch 10b809c39582a7f29150f0635b78bc2ce40df0bded963b78f42db3e21775da8c xsa73-4.2.patch 48411cd6b15e4e4fa3c4335298179a4b1094c5e1ae8dc7582bbfb9439d97037b xsa73-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSc8fSAAoJEIP+FMlX6CvZeRUH/Rn+MT2Xj1zteuIs89cLZOBc 5ieh44Nqulyn/kQU+j7tzmq0urzt5w0VEiL7CWDxXe6KktzKZDnZTkXDSXr13sxU pIM682cpaSsGvDFDSKdc6x03cNQ3P+FSrz/uWEWmCFjOuqRT839RkY3NbkC6mhaH O9JUW+uojphJ3TJDfmvl9xsN4W6A3H8SvJp71c6LNGMTUXfAsOahNnrlJev+s8Pu OruXzqVFzOpU1BbWYAakhSgUg/5+FTCcR+ZUN4AgMHgetnXIbR0qGtvWGEP9kTVt wOK/mgAA7T4yHyTySmmVHc/BN422e0xv045Zr25AI2WrteLnpo4gj5GJBuAilEU= =RHfD -----END PGP SIGNATURE----- [ CONTENT OF TYPE application/octet-stream SKIPPED ] [ CONTENT OF TYPE application/octet-stream SKIPPED ] [ CONTENT OF TYPE application/octet-stream SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ