Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1kp9JW-00075m-Iz@xenbits.xenproject.org>
Date: Tue, 15 Dec 2020 12:20:22 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 349 v3 (CVE-2020-29568) - Frontends can
 trigger OOM in Backends by update a watched path

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-29568 / XSA-349
                               version 3

 Frontends can trigger OOM in Backends by update a watched path

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Some OSes (such as Linux, FreeBSD, NetBSD) are processing watch events
using a single thread.  If the events are received faster than the thread
is able to handle, they will get queued.

As the queue is unbound, a guest may be able to trigger a OOM in
the backend.

IMPACT
======

A malicious guest can trigger an OOM in backends.

VULNERABLE SYSTEMS
==================

All systems with a FreeBSD, Linux, NetBSD dom0 are vulnerable.

All version of those OSes are vulnerable.

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

This issue was discovered by Michael Kurth and Pawel Wieczorkiewicz of
Amazon.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue for Linux.

Fixes for FreeBSD and NetBSD will be handled through their own
security process.

Fixes for FreeBSD and NetBSD will be handled through their own security
process.

xsa349/xsa349-linux-?.patch   Linux

$ sha256sum xsa349*/*
76f69574553137af8c9c7aecca3025d135b49c4a5316cc541e9e355576a21599  xsa349/xsa349-linux-1.patch
3ce2e1a88321993a3698b4608d2332fb5d43e0d82de73bc9f1700202782eba30  xsa349/xsa349-linux-2.patch
4bbaf62ed5e3442b310f80344b9d3ccd37f0a07827ed41907b44228130a610da  xsa349/xsa349-linux-3.patch
a7648214cea5d0340a29552df224230cf214d698fe2d7a8798f57444225afe32  xsa349/xsa349-linux-4.patch
ac32d02129821ed7db1b71c39b2c708399c0af809eefdb5bf0709f00736e7959  xsa349/xsa349-linux-5.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/Yqd8MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZxv0IAI1ELk5Zbx9SD7obwWo7r9G0QOE2fP6DtZnlIDsL
AsD1bssyosT5L0Xkk5+8tmt6gwRN3fjpAj24QNO/DrytHFSa42ELPmpEeQ63/LJL
UJwxC+fbAwWrk8JM99WqWQbgASBka9VSktVML/yU3K+IpBk4xTPulJ5J+R96QYoe
65zCFkbkw2HHFLzUlveY03031ckNshrmfX/rP7vFrjywdKkvt0wq/jRIESjiWfln
sIC+qc/FtOWfXywpcdYZmL3uPqcZViVXnv4lOZ4Meg5+IzJDPxPnYw/T1RRKjdyy
dBZvhv3DHGtdnI5Q3BGW6KOuHC4KBsWLX5pPWm6m5MCfHak=
=XeRA
-----END PGP SIGNATURE-----

Download attachment "xsa349/xsa349-linux-1.patch" of type "application/octet-stream" (4617 bytes)

Download attachment "xsa349/xsa349-linux-2.patch" of type "application/octet-stream" (5455 bytes)

Download attachment "xsa349/xsa349-linux-3.patch" of type "application/octet-stream" (1755 bytes)

Download attachment "xsa349/xsa349-linux-4.patch" of type "application/octet-stream" (3198 bytes)

Download attachment "xsa349/xsa349-linux-5.patch" of type "application/octet-stream" (1900 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.