Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2534 Xen Security Advisory XSA-300 - Linux: No grant table and foreign mapping limits 10 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: Xen Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://xenbits.xen.org/xsa/advisory-300.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-300 Linux: No grant table and foreign mapping limits ISSUE DESCRIPTION ================= Virtual device backends and device models running in domain 0, or other backend driver domains, need to be able to map guest memory (either via grant mappings, or via the foreign mapping interface). For Linux to keep track of these mappings, it needs to have a page structure for each one. In practice the number of page structures is usually limited. In PV dom0, a range of pfns are typically set aside at boot ("pre-ballooned") for this purpose; for PVH and Arm dom0s, no memory is set aside to begin with. In either case, when more of this "foreign / grant map pfn space" is needed, dom0 will balloon out extra pages to use for this purpose. Unfortunately, in Linux, there are no limits, either on the total amount of memory which dom0 will attempt to balloon down to, nor on the amount of "foreign / grant map" memory which any individual guest can consume. As a result, a malicious guest may be able, with crafted requests to the backend, to cause dom0 to exhaust its own memory, leading to a host crash; and if this is not possible, it may be able to monopolize all of the foreign / grant map pfn space, starving out other guests. IMPACT ====== Guest may be able to crash domain 0 (Host Denial-of-Service); or may be able to starve out I/O requests from other guests (Guest Denial-of-Service). VULNERABLE SYSTEMS ================== All versions of Linux are vulnerable. All Arm dom0s are vulnerable; on x86, PVH dom0 is generally vulnerable, while PV dom0's vulnerability depends on what, if any, "dom0_mem=" option was passed to Xen. MITIGATION ========== On PV dom0, the amount of "pre-ballooned" memory can be increased by limiting dom0 memory via "dom0_mem=", but avoiding use of the "dom0_mem=max:<value>" form of the command line option, or by making the delta between "actual" and "maximum" sufficiently large. This makes the attack more difficult to accomplish. CREDITS ======= This issue was discovered by Julien Grall of ARM. RESOLUTION ========== Applying the appropriate attached patch resolves the domain 0 memory exhaustion issue. NOTE: This does NOT fix the guest starvation issue. Fixing fixing this issue is more complex, and it was determined that it was better to work on a robust fix for the issue in public. This advisory will be updated when fixes are available. xsa300-linux-5.1.patch Linux 4.4 ... 5.2-rc $ sha256sum xsa300* 9c8a9aec52b147f8e8ef41444e1dd11803bacf3bd4d0f6efa863b16f7a9621ac xsa300-linux-5.1.patch $ NOTE ON LACK OF EMBARGO ======================= The lack of predisclosure is due to a short schedule set by the discoverer, and efforts to resolve the advisory wording. DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html - -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl0knK4MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZVp0H/2P+7XAtIAS2owhUnTBPSmM/93LZBHr67DCGSoix afHEumj4b3omIssAEo912BXpG0tjzCBlStwacRDc/11Ku4XtB/hlr5TG89c2tfVd QMtvWeAdDjWE2YkwZ3TK5BgaYMwoUSMdwXtG2NGpVGFj4jy4AUL5e+sZKAiMTbl2 f3ursyyts/cgJTLq1KHfX3jVlqcRLvv0yGXLsZ0BQbktnEpptETPPtBvEQQ+Uqkb WjqxCvzmh0Szc9mnhLSxS2LDA6W/y/r37XawpwJIZNpE12+sQRZ48KqeFysTK4Yp MRZokgzOBOXfHVa25LpgtZzL5DmRR5AfWYkmgmIX8s7NaH8= =OKdx - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXSV1uGaOgq3Tt24GAQhb5RAAywN5GMEiXiu4/OXEie404ZYXkyRPxUQ9 9KeLymNe28rtaGgauJ0K1ZfpVwBs6QqgRpCjp5D6NE1jStXt7bJ5rzUyWT8Um6aX ilmf5WivlN+NBIiPQo0fR2lgJZAJIH+S0r1knX8MwD5W7AWQBl9WI1WTnqLshK3e ua94FYkijCvIkIsS6fo7tzX0aApxxtFbEgkpOeJahvIrpsmVE3aHdPb77hUWFsmS 3zHQHEEGr7Dr0l05pjP+u+Yf2/RgJiI5DOra1cNfd7TVnOk4vMslgzzUMEUbfQMx Hs//94xf2wYpBvob+Brhbat31m1CDLJlsgGfElKe6oOfh39L/CbIJIvk+4JXz7Rl O32J6AgN57awQttui3FIBZxmVAAlFTeMIk+VNkCA6hT/jEHmpTuVt6BxwIcZYwog 3tVguBEcaWmk6sEXi6FGthXDJk9uy1s8PaXJy0jx8vz782S0lluUI50axl017aMD nvVSCvtLKAxb8RN8+jKYgCRRiBaoUlyMctrg25oNTEo4Msl5VSvfK7xTq6o197HR 0AGeQpCVYOhCP9hXbpCmE7DrXLl++mFrM/qSKh99TaabhMnhmXJZRn0Jh0gsXJOr DkFuRF/mfli0qjWDnUnTfu9dkNmjH/OPA5wym3orkG+gDdZvcCghWaGrszjeyYa+ NU9x5JdNNWE= =v5+k -----END PGP SIGNATURE-----