|Public release ||2016-06-03 09:47|
|Updated ||2016-06-03 13:55|
|Title ||arm: Host crash caused by VMID exhaustion|
Filesadvisory-181.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2016-5242 / XSA-181
arm: Host crash caused by VMID exhaustion
UPDATES IN VERSION 2
VMIDs are a finite hardware resource, and allocated as part of domain
creation. If no free VMIDs are available when trying to create a new domain,
a bug in the error path causes a NULL pointer to be used, resulting in a Data
Abort and host crash.
Attempting to create too many concurrent domains causes a host crash rather
than a graceful error. A malicious device driver domain can hold references
to domains, preventing its VMID being released.
Xen versions 4.4 and later are affected. Older Xen versions are unaffected.
x86 systems are not affected.
Only arm systems with less-privileged device driver domains can expose this
There is no mitigation. Not using driver domains reclassifies the problem,
but does not fix it.
NOTE REGARDING LACK OF EMBARGO
The crash was discussed publicly on xen-devel, before it was appreciated
that there was a security problem.
This issue was discovered by Aaron Cornelius of DornerWorks.
Applying the appropriate attached patch resolves this issue.
xsa181.patch xen-unstable, Xen 4.6.x, 4.5.x
xsa181-4.4.patch Xen 4.4.x
$ sha256sum xsa181*
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team