|Public release ||2016-01-20 12:00|
|Updated ||2016-01-20 12:08|
|Title ||PV superpage functionality missing sanity checks|
Filesadvisory-167.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2016-1570 / XSA-167
PV superpage functionality missing sanity checks
UPDATES IN VERSION 4
The PV superpage functionality lacks certain validity checks on data
being passed to the hypervisor by guests. This is the case for the
page identifier (MFN) passed to MMUEXT_MARK_SUPER and
MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as
well as for various forms of page table updates.
Use of the feature, which is disabled by default, may have unknown
effects, ranging from information leaks through Denial of Service to
Only systems which enable the PV superpage feature are affected. That
is, only systems with an `allowsuperpage' setting on the hypervisor
command line. Note that in Xen 4.0.x and 3.4.x the option is named
Xen versions 3.4.0, 3.4.1, and from 4.1 onwards are affected.
Only x86 systems are affected.
Only PV guests can exploit the vulnerability.
Running only HVM guests will avoid this issue.
Not enabling PV superpage support (by omitting the `allowsuperpage' or
`allowhugepage' hypervisor command line options) will avoid exposing
This issue was discovered by Qinghao Tang of 360 Marvel Team.
Applying the appropriate attached patch resolves this issue.
xsa167-4.6.patch Xen 4.6.x, 4.5.x
xsa167-4.4.patch Xen 4.4.x, 4.3.x
$ sha256sum xsa167*
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
However deployment of the SUPERPAGE DISABLEMENT MITIGATION is NOT
permitted (except where all the affected systems and VMs are
administered and used only by organisations which are members of the
Xen Project Security Issues Predisclosure List). Specifically,
deployment on public cloud systems is NOT permitted.
This is because disabling PV superpage support is visible to guests, so
such deployment could lead to the rediscovery of the vulnerability.
Deployment of the mitigation is permitted only AFTER the embargo ends.
Also: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team