|Public release ||2013-01-22 11:49|
|Updated ||2013-01-22 11:49|
|Title ||nested virtualization on 32-bit exposes host crash|
Filesadvisory-34.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2013-0151 / XSA-34
nested virtualization on 32-bit exposes host crash
UPDATES IN VERSION 2
When performing nested virtualisation Xen would incorrectly map guest
pages for extended periods using an interface which is only intended
for transient mappings. In some configurations there are a limited
number of slots available for these transient mappings and exhausting
them leads to a host crash and therefore a Denial of Service attack.
A malicious guest administrator can, by enabling nested virtualisation
from within the guest, trigger the issue.
Their ability to do this will depend on the number of VCPUs the domain
is configured with. Domains with smaller numbers of VCPUs (e.g. less
than 16) are not able to create sufficient mappings via this method to
trigger the issue.
32 bit hypervisors running HVM guests on either Intel or AMD are
Only Xen version 4.2.x is vulnerable.
Nested virtualisation was introduced as an experimental feature in Xen
4.2 and therefore versions of Xen prior to that are not vulnerable.
The 32 bit hypervisor has been removed in Xen unstable and therefore
is not vulnerable.
Running a 64 bit hypervisor or avoiding running HVM guests with
untrusted administrators can avoid the issue.
We strongly recommend running a 64 bit hypervisor on any processor
which supports it. Note that this does not require running a 64 bit
Ensuring that HVM guests with untrusted administrators do not have
more than 16 VCPUs will also avoid the issue.
The attached patch avoids this issue by disabling nested HVM support
when running a 32-bit hypervisor.
xsa34-4.2.patch Xen 4.2.x
$ sha256sum xsa34*.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team