Information

AdvisoryXSA-114
Public release 2014-12-08 12:00
Updated 2014-12-08 12:08
Version 3
CVE(s) CVE-2014-9065 CVE-2014-9066
Title p2m lock starvation

Files

advisory-114.txt (signed advisory file)
xsa114.patch
xsa114-4.2.patch
xsa114-4.3.patch
xsa114-4.4.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

     Xen Security Advisory CVE-2014-9065,CVE-2014-9066 / XSA-114
                              version 3

                       p2m lock starvation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The current read/write lock implementation is read-biased, which allows
a consistent stream of readers to starve writers indefinitely.  There
are certain rwlocks where guests are capable of applying arbitrary read
pressure.

IMPACT
======

A malicious guest administrator can deny service to other tasks.  If
the NMI watchdog is active, a timeout might be triggered, resulting in
a host crash.

VULNERABLE SYSTEMS
==================

Xen 4.2 and later systems are vulnerable.

Xen 4.1 and earlier are not vulnerable in normal configurations.  4.1
and earlier are vulnerable only insofar as features are used which
have already been explicitly discounted for security support purposes
(TMEM, see XSA-15; XSM-based radical disaggregation, see XSA-77).

Only x86 systems offer avenues for attacking this vulnerability.
ARM systems do not and are therefore not vulnerable.

MITIGATION
==========

There is no mitigation available for this issue.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue in
practice for most systems.  (CVE-2014-9065 refers to these fixed
cases.)

In some deployments, large guests (more than around 30-40 VCPUs) may
still be able to trigger intermittent problems; a complete fix to this
issue requires substantial structural changes and is planned for Xen
4.6.  (CVE-2014-9066 refers to these yet-to-be-fixed cases.)

xsa114.patch                 xen-unstable
xsa114-4.4.patch             Xen 4.4.x
xsa114-4.3.patch             Xen 4.3.x
xsa114-4.2.patch             Xen 4.2.x

$ sha256sum xsa114*.patch
d1c1a2d5d55bfe13ba99a9cb99b367a29389aa30f13ffacc02b465a006115b45  xsa114.patch
a7a57c49d65de7e3cd480476b0a935ddac9e9d941aa6ca65e87170411a7c1176  xsa114-4.2.patch
ae787074b857c40ab0059802846cb0152e24c937486968c769a9bfe8cbe3d10f  xsa114-4.3.patch
b35ed8710693163cc33772c36e4c17dc76e25a0b2025fff4a5aa3b46c459938a  xsa114-4.4.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUhZTQAAoJEIP+FMlX6CvZYUkH/A/SYzqnOXvSa0tF7penNFb9
NFwRBjTvddaTnB72UiIL6ca/3tV1la2cNpn+p4M+cGSuCwHV9QaEoRMtc6l77Yol
I1ApyZWHS3Qwv2zKDp5dozDcO5yiVuVj+Az1O9f3NCv6PsQvJxYugB/3JKUnhS60
ItmlwnxAEzRd0pvoG8zb7vdLKPyfJ9gYTW3OU50F13TbJEtIJ1ifzvCTC7zPv7da
phYy7NClS9a1QeXOnwRNyoL8hBZ6OWJYxG66+8P/s0SUtvTOuOoVJ510cAwfv4Fw
y96Ss+vfTu9u34GBaO/rTP5FkH1x9vptFGTIgjtDPZmwf30kCo4qyq3jnjyWKmM=
=V6/o
-----END PGP SIGNATURE-----


Xenproject.org Security Team