[kernel-xen] Fwd: [Xen-announce] Xen Security Advisory 154 (CVE-2016-2270) - x86: inconsistent cachability flags on guest mappings

Glenn Enright glenn at rimuhosting.com
Thu Feb 18 12:22:48 AEDT 2016 

Where the notice says "performance regression with this patch on
some systems", its a shame that the actual server configuration was not 
described in more detail, at least having that would provide some 
baseline for discussion and potentially help build a knowledge base of 
systems affected.

A concern of course is that the use of "some" in various places on the 
notice is so vague, and might actually mean "most/all the machines we 
tested".

It would also be nice to see details on the notice of a POC for the 
issue, presumably the security team had a test case. Else how else could 
they properly patch for it? I'm wondering why that has not been 
published as well, any idea if such is available now embargo is lifted?

Regards, Glenn
http://ri.mu - Startups start here.
Hosting. DNS. Web Programming. Email. Backups. Monitoring.

On 18/02/16 14:07, Steven Haigh wrote:
> Hi all,
>
> I'd like to forward this for discussion to the list - as you'll notice
> that I have only patched XSA-170 released today.
>
> The patch below is somewhat interesting - as a workaround is presented
> by a new option (not available in previous patch versions) to restore
> the performance regression involved with this fix. The problem is, with
> this option, you reintroduce the security issue that the patch resolves.
>
> As such, it leaves us with two scenarios:
> 1) Apply the patch and take the performance hit (not sure of the scale
> of this hit or what it affects) - even if your hardware is not
> vulnerable; or
> 2) Use the command line option which makes this patch moot.
>
> I wasn't able to canvas this list for opinions on this before the
> embargo ended - but am interested to gather peoples feedback after
> analysis.
>
> My concerns are that there is not enough quantifiable information to be
> able to easily determine a way forward. There is not enough information
> to make me comfortable as to what hardware is affected, what degree the
> of performance loss is.
>
> Am happy to get feedback on other peoples thoughts on this issue.
>

More information about the kernel-xen mailing list