Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 24 Jul 2013 09:58:52 -0400
From: Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>
To: "Xen.org security team" <security@....org>
Cc: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
        xen-users@...ts.xen.org, oss-security@...ts.openwall.com
Subject: Re: Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to
 disable caching with HVM guests with PCI passthrough

On Wed, Jul 24, 2013 at 11:36:55AM +0000, Xen.org security team wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>              Xen Security Advisory CVE-2013-2212 / XSA-60
>                              version 4
> 
>    Excessive time to disable caching with HVM guests with PCI passthrough
> 
> UPDATES IN VERSION 4
> ====================
> 
> Public release.
> 
> ISSUE DESCRIPTION
> =================
> 
> HVM guests are able to manipulate their physical address space such that
> processing a subsequent request by that guest to disable caches takes an
> extended amount of time changing the cachability of the memory pages assigned
> to this guest. This applies only when the guest has been granted access to
> some memory mapped I/O region (typically by way of assigning a passthrough
> PCI device).
> 
> This can cause the CPU which processes the request to become unavailable,
> possibly causing the hypervisor or a guest kernel (including the domain 0 one)
> to halt itself ("panic").
> 
> For reference, as long as no patch implementing an approved alternative
> solution is available (there's only a draft violating certain requirements
> set by Intel's documentation), the problematic code is the function
> vmx_set_uc_mode() (in that it calls ept_change_entry_emt_with_range() with
> the full guest GFN range, which the guest has control over, but which also
> would be a problem with sufficiently large but not malicious guests).
> 
> IMPACT
> ======
> 
> A malicious domain, given access to a device with memory mapped I/O
> regions, can cause the host to become unresponsive for a period of
> time, potentially leading to a DoS affecting the whole system.
> 
> VULNERABLE SYSTEMS
> ==================
> 
> Xen version 3.3 onwards is vulnerable.
> 
> Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are
> vulnerable.
> 
> MITIGATION
> ==========
> 
> This issue can be avoided by not assigning PCI devices to untrusted guests, or
> by running HVM guests with shadow mode paging (through adding "hap=0" to the
> domain configuration file).
> 
> CREDITS
> =======
> 
> Konrad Wilk found the issue as a bug, which on examination by the

It was:
Zhenzhong Duan

> Xenproject.org Security Team turned out to be a security problem.
> 
> RESOLUTION
> ==========
> 
> There is currently no resolution to this issue.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iQEcBAEBAgAGBQJR77wrAAoJEIP+FMlX6CvZB5MH/ibfpjHuoGOIo7mWukld4NM5
> UVIKC+rTrnkYhbF2f+xIM833+WAUjPuXZKZ6/EirDAPAAQCut2DouNvVdVnZ5cBx
> rq0N8l9wy0/dq/7kCyI3kAGFlJ3VYz7aM5+TTPFGfO7Yq3ohUNu2EE4vv/t5KVjD
> H4reh8UaA5QuRbdh3evCM9Vdt2syqi8JQwB5D2CJqrgAuFPwEVle8MLKSXWWb/+V
> KUy+mRAb1tN3jbWIev0TZ7Hm3x61yO60/WFzsQzkmkd+qWvC5btkWDg05K5DHC+Q
> yvFU3Y5u7J/ub00ZO4e9wjNDG5+ItQUK4xp8y5s65qx27P/eK9VLi8dvnHVMk04=
> =HUbY
> -----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.