Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <E1VcGJe-000443-7V@xenbits.xen.org>
Date: Fri, 01 Nov 2013 15:07:14 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 73 - Lock order reversal between page
 allocation and grant table locks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-73

    Lock order reversal between page allocation and grant table locks

NOTE REGARDING LACK OF EMBARGO
==============================

While the response to this issue was being prepared by the security
team, the bug was independently discovered by a third party who
publicly disclosed it without realising the security impact.

ISSUE DESCRIPTION
=================

The locks page_alloc_lock and grant_table.lock are not always taken in
the same order.  This opens the possibility of deadlock.

IMPACT
======

A malicious guest administrator can deny service to the entire host.

VULNERABLE SYSTEMS
==================

Xen versions going back to at least Xen 3.2 are vulnerable.

To exploit the vulnerability, the attacker must have control of more
than one vcpu, either by controlling a malicious multi-vcpu guest, or
by controlling more than one guest.

MITIGATION
==========

There is no practical mitigation for this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and diagnosed by Andrew
Cooper.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa73-4.3-unstable.patch    Xen 4.3.x, xen-unstable
xsa73-4.2.patch             Xen 4.2.x
xsa73-4.1.patch             Xen 4.1.x

$ sha256sum xsa73*.patch
b828ff085f2dc1f2042bda1dc8a6c52b56ad1c1e3639c3efe32e5706e4ef424f  xsa73-4.1.patch
10b809c39582a7f29150f0635b78bc2ce40df0bded963b78f42db3e21775da8c  xsa73-4.2.patch
48411cd6b15e4e4fa3c4335298179a4b1094c5e1ae8dc7582bbfb9439d97037b  xsa73-4.3-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSc8OAAAoJEIP+FMlX6CvZNoMH/Al1MD/FJXpJ6BnLZH3zV505
wKc1x38OGpM61X2PrMLCqaqZfRTDuUWFkAx4wOdp1OXx6Do8nwtyzXYInNYKHjse
xS5JhBM0GPY+pABVYJ4IDcskKHDCLew/L4RcPK3oDiS9sZACSrVRXGVLnNUupLit
KmCbN1sZkFwUZSCpF+TBH7QbSkk9h2ytTGDaiZKgmrsmL7TMEOP4ikqxjBDC6gM7
Ty6NzaGJUpIx3nIEjFTnggE8UYN0NkQVDjZlhsDJPbcEWCuHXMYNaXrqFjSY68ac
4uDmwmR6exk38AGQhRir2FkwoXg2Gyim4pxWx7SYge/Ssc2Mft1aMNOdz7uCr3c=
=6AqT
-----END PGP SIGNATURE-----

Download attachment "xsa73-4.1.patch" of type "application/octet-stream" (3726 bytes)

Download attachment "xsa73-4.2.patch" of type "application/octet-stream" (3756 bytes)

Download attachment "xsa73-4.3-unstable.patch" of type "application/octet-stream" (3707 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.