[kernel-xen] Xen Security Advisory 60 (CVE-2013-2212) - Excessive time to disable caching with HVM guests with PCI passthrough
netwiz at crc.id.au
Wed Jul 24 23:57:37 EST 2013
Xen Security Advisory CVE-2013-2212 / XSA-60
Excessive time to disable caching with HVM guests with PCI passthrough
UPDATES IN VERSION 4
HVM guests are able to manipulate their physical address space such that
processing a subsequent request by that guest to disable caches takes an
extended amount of time changing the cachability of the memory pages
to this guest. This applies only when the guest has been granted access to
some memory mapped I/O region (typically by way of assigning a passthrough
This can cause the CPU which processes the request to become unavailable,
possibly causing the hypervisor or a guest kernel (including the domain
to halt itself ("panic").
For reference, as long as no patch implementing an approved alternative
solution is available (there's only a draft violating certain requirements
set by Intel's documentation), the problematic code is the function
vmx_set_uc_mode() (in that it calls ept_change_entry_emt_with_range() with
the full guest GFN range, which the guest has control over, but which also
would be a problem with sufficiently large but not malicious guests).
A malicious domain, given access to a device with memory mapped I/O
regions, can cause the host to become unresponsive for a period of
time, potentially leading to a DoS affecting the whole system.
Xen version 3.3 onwards is vulnerable.
Only systems using the Intel variant of Hardware Assisted Paging (aka
This issue can be avoided by not assigning PCI devices to untrusted
by running HVM guests with shadow mode paging (through adding "hap=0" to the
domain configuration file).
Konrad Wilk found the issue as a bug, which on examination by the
Xenproject.org Security Team turned out to be a security problem.
There is currently no resolution to this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the kernel-xen