[kernel-xen] Xen Security Advisory 74 (CVE-2013-4553) - Lock order reversal between page_alloc_lock and mm_rwlock

[Steven Haigh]

             Xen Security Advisory CVE-2013-4553 / XSA-74
                              version 3

          Lock order reversal between page_alloc_lock and mm_rwlock

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The locks page_alloc_lock and mm_rwlock are not always taken in
the same order.  This raises the possibility of deadlock.

The incorrect order occurs only in the implementation of the
deprecated domctl hypercall XEN_DOMCTL_getmemlist.

IMPACT
======

A malicious guest administrator may be able to deny service to the
entire host.

VULNERABLE SYSTEMS
==================

Xen 3.4.x and later are vulnerable.
Xen 3.3.x and earlier are not vulnerable.

Only systems where a privileged domain frequently or predictably uses
XEN_DOMCTL_getmemlist are vulnerable.  (Its use by manually invoked
debugging and stress testing tools is not a security problem.)

We are not aware of any toolstack software which has relevant (and
hence vulnerable) uses of this hypercall.  xend, libxl, xapi and
libvirt are known not to do so.

We are therefore not aware of any deployed Xen-based systems which are
vulnerable.  We are issuing this advisory primarily for the benefit of
any Xen-derived systems using unusual toolstack software.

MITIGATION
==========

If you are using a toolstack (or other software) which uses
XEN_DOMCTL_getmemlist, disabling the relevant feature or functions may
be possible, and would avoid the vulnerability.

CREDITS
=======

This issue was discovered by Coverity Scan and diagnosed by Andrew
Cooper.

RESOLUTION
==========

Fixed in xen-4.2.3-10

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20131127/d9ffcd78/attachment.sig>