Date: Tue, 15 Dec 2020 12:20:26 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 354 v4 (CVE-2020-29487) - XAPI: guest-triggered excessive memory usage -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2020-29487 / XSA-354 version 4 XAPI: guest-triggered excessive memory usage UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= Certain xenstore keys provide feedback from the guest, and are therefore watched by toolstack. Specifically, keys are watched by xenopsd, and data are forward via RPC through message-switch to xapi. The watching logic in xenopsd sends one RPC update containing all data, any time any single xenstore key is updated, and therefore has O(N^2) time complexity. Furthermore, message-switch retains recent (currently 128) RPC messages for diagnostic purposes, yielding O(M*N) space complexity. The quantity of memory a single guest can monopolise is bounded by xenstored quota, but the quota is fairly large. It is believed to be in excess of 1G per malicious guest. In practice this manifests as a host denial of service, either through message-switch thrashing against swap, or OOM'ing entirely, depending on dom0's configuration. This series introduces quotas in xenopsd to limit the quantity of keys which result in RPC traffic. IMPACT ====== A buggy or malicious guest can cause unreasonable memory usage in dom0, resulting in a host denial of service. VULNERABLE SYSTEMS ================== All versions of XAPI are vulnerable. Systems which are not using the XAPI toolstack are not vulnerable. MITIGATION ========== There are no mitigations available. CREDITS ======= This issue was discovered by Edwin Török of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa354-*.patch xenopsd master $ sha256sum xsa354* 66d29c38ce4fa6c77a4853a0f0345f3bf1fcbe11703090e1dbfa83257564de42 xsa354-1-ls_lR-factor-out-dir-concatenation.patch 0686465119b4442d839d59c66c41d02ce6b4cfa9c82234e0aefcaffbb7985ee4 xsa354-2-ls_lR-refactor-use-fold.patch fb60812f1230526f9c3be77d4f0c8c08903b21aa5c449056dc16b1181720b3cb xsa354-3-ls_lR-separate-recursion-into-separate-funct.patch 41f221007abd89c8d24dacb7b0ff96109427c1c84eae75b7245bb287a0938d81 xsa354-4-ls_lR-add-quota.patch fcd4abddf18bc5b875ec28213f3138f1de395e91076b5b1a828353bc8b19d8ed xsa354-5-ls_lR-limit-depth.patch 1ff82640a446407492904b50b05fc903a70d570620cd20a21493c9240b38f8be xsa354-6-exclude-attr-os-hotfixes-from-ls_lR.patch b1b2f96b93d41201ddfdb093660f06f8bce5461a715cfeb7110f0194b74c93cb xsa354-7-read-important-xenstore-entries-first.patch 6908e957c299fe57dcd5c5c93162d135326221f1e66ac4b43b771ebd63bae35d xsa354-8-refactor-attr-os-hotfixes-exclusion.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/YqeAMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZA0MIAK9VhZjA0/adgq4TY2DXFjIZKg6Q9ZE9cBZcgv4l XhGpAwxeYKU76KFEf1si3KCGV7xzHG0tnwkEgfpeldnGCwsgSkJPRNFvgA/7iuW0 3hCAdRioSU9Rm3h2gQdIDBAppvD0NhkkjQU/XcrB7qeOjfYrdvH5gS+NSRN/z50V g02kUrWypShC0+lvgkJ0zXfl0CAQSs27BMd2vlj5BuOP573IrbJh6NHuRMF9Dm9J 48ny910Ctws5FSbe25ZgZHERZnwDnwe/oGP1ws12wZbU8ToP5t7tHnSQGNgwXPWT Xpoecr5Iqek2CUHPEd8KKKS4B5frJHq+Xp8CAfnX8KT8VH8= =y19v -----END PGP SIGNATURE----- Download attachment "xsa354-1-ls_lR-factor-out-dir-concatenation.patch" of type "application/octet-stream" (1249 bytes) Download attachment "xsa354-2-ls_lR-refactor-use-fold.patch" of type "application/octet-stream" (2181 bytes) Download attachment "xsa354-3-ls_lR-separate-recursion-into-separate-funct.patch" of type "application/octet-stream" (1713 bytes) Download attachment "xsa354-4-ls_lR-add-quota.patch" of type "application/octet-stream" (6268 bytes) Download attachment "xsa354-5-ls_lR-limit-depth.patch" of type "application/octet-stream" (1824 bytes) Download attachment "xsa354-6-exclude-attr-os-hotfixes-from-ls_lR.patch" of type "application/octet-stream" (1260 bytes) Download attachment "xsa354-7-read-important-xenstore-entries-first.patch" of type "application/octet-stream" (6021 bytes) Download attachment "xsa354-8-refactor-attr-os-hotfixes-exclusion.patch" of type "application/octet-stream" (3218 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.