[kernel-xen] Xen Security Advisory 113 (CVE-2014-9030) - Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling

Steven Haigh netwiz at crc.id.au
Sat Nov 22 01:04:44 AEDT 2014 

            Xen Security Advisory CVE-2014-9030 / XSA-113
                              version 2

  Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling

UPDATES IN VERSION 2
====================

CVE assigned.

ISSUE DESCRIPTION
=================

An error handling path in the processing of MMU_MACHPHYS_UPDATE failed
to drop a page reference which was acquired in an earlier processing
step.

IMPACT
======

Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.

Only domains controlling HVM guests can exploit this vulnerability.
(This includes domains providing hardware emulation services to HVM
guests.)

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2.x onwards are vulnerable on x86 systems.
Older versions have not been inspected.  ARM systems are not vulnerable.

This vulnerability is only applicable to Xen systems using stub domains
or other forms of disaggregation of control domains for HVM guests.

MITIGATION
==========

Running only PV guests will avoid this issue.

(The security of a Xen system using stub domains is still better than
with a qemu-dm running as an unrestricted dom0 process.  Therefore
users with these configurations should not switch to an unrestricted
dom0 qemu-dm.)

NOTE REGARDING LACK OF EMBARGO
==============================

A draft of this advisory was mistakenly sent to xen-devel.  The Xen
Project Security Team apologises for this error.  We are working to
share best working practices amongst the team to reduce the risks of
recurrance.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

* Fri Nov 21 2014 Steven Haigh <netwiz at crc.id.au> - 4.2.5-6
- XSA-113 (CVE-2014-9030) Guest effectable page reference leak in
MMU_MACHPHYS_UPDATE handling

* Fri Nov 21 2014 Steven Haigh <netwiz at crc.id.au> - 4.4.1-6
- XSA-113 (CVE-2014-9030) Guest effectable page reference leak in
MMU_MACHPHYS_UPDATE handling

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20141122/47a1d6a8/attachment.sig>

More information about the kernel-xen mailing list