Date: Thu, 04 Mar 2021 10:58:11 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 369 v1 - Linux: special config may crash when trying to map foreign pages -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-369 Linux: special config may crash when trying to map foreign pages ISSUE DESCRIPTION ================= With CONFIG_XEN_BALLOON_MEMORY_HOTPLUG disabled and CONFIG_XEN_UNPOPULATED_ALLOC enabled the Linux kernel will use guest physical addresses allocated via the ZONE_DEVICE functionality for mapping foreign guest's pages. This will result in problems, as the p2m list will only cover the initial memory size of the domain plus some padding at the end. Most ZONE_DEVICE allocated addresses will be outside the p2m range and thus a mapping can't be established with those memory addresses, resulting in a crash. The attack involves doing I/O requiring large amounts of data to be mapped by the Dom0 or driver domain. The amount of data needed to result in a crash can vary depending on the memory layout of the affected Dom0 or driver domain. IMPACT ====== A Dom0 or driver domain based on a Linux kernel (configured as described above) can be crashed by a malicious guest administrator, or possibly malicious unprivileged guest processes. VULNERABLE SYSTEMS ================== Only x86 paravirtualized (PV) Dom0 or driver domains are affected. Only Linux kernels configured *with* CONFIG_XEN_UNPOPULATED_ALLOC and *without* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG are vulnerable. Only kernels from kernel version 5.9 onwards are affected. CONFIG_XEN_BALLOON_MEMORY_HOTPLUG is enabled by default in upstream Linux when Xen support is enabled, so kernels using upstream default Kconfig are not affected. Most distribution kernels supporting Xen dom0 use are likewise not vulnerable. Arm systems or x86 PVH or x86 HVM driver domains are not affected. MITIGATION ========== There is no mitigation available. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa369-linux.patch Linux 5.9-stable - 5.12-rc $ sha256sum xsa369* 937df4f078a070cf47bdd718c6b8a042ec6bee255eedc422d833c2ae3dd561c7 xsa369-linux.patch $ CREDITS ======= This issue was discovered by Marek Marczykowski-Górecki of Invisible Things Lab. For patch: Reported-by: Marek Marczykowski-Górecki <marmarek@...isiblethingslab.com> NOTE REGARDING LACK OF EMBARGO ============================== This was reported publicly multiple times, before the XSA could be issued. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmBAvMQMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ5PoH/2EY28X1Fe+2RW5SrnAo2dZWLXeIrXQIXbsDCdlI GKhFChUhYHJP3wLhE4F7J5SAjl48ta/gtdpbpJWXsZSS+2KIdV/dDZ3ZA6cxWFAI DuVvqqt5O0xpF02bgTZrL1GUL8975L0O7cwtGmsIbPjVSF5UktuLS0Q1zRAiYvG9 l5Xu32nekxz2fGebMYrJTIPYNc8LOg3d+MIAE4W1u3Wj46S8yRJhyNQmsPQXZTEk nlTp0ed8ScAt7pIZn7dbnLz8zUAQ64h2yar0UBih51kd3Bss5E4PXsS0zlXlVNfk 046nBhbFfB3dgM49NlJ3oHhiZh6dN5LpMblmGK4Tb+FJqNE= =QwG+ -----END PGP SIGNATURE----- Download attachment "xsa369-linux.patch" of type "application/octet-stream" (5098 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.