-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-2212 / XSA-60 version 6 Excessive time to disable caching with HVM guests with PCI passthrough UPDATES IN VERSION 6 ==================== Since the issue of this advisory, various fixes have been applied to the public Xen trees. ISSUE DESCRIPTION ================= HVM guests are able to manipulate their physical address space such that processing a subsequent request by that guest to disable caches takes an extended amount of time changing the cachability of the memory pages assigned to this guest. This applies only when the guest has been granted access to some memory mapped I/O region (typically by way of assigning a passthrough PCI device). This can cause the CPU which processes the request to become unavailable, possibly causing the hypervisor or a guest kernel (including the domain 0 one) to halt itself ("panic"). IMPACT ====== A malicious domain, given access to a device with memory mapped I/O regions, can cause the host to become unresponsive for a period of time, potentially leading to a DoS affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 3.3 onwards is vulnerable. Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests, or by running HVM guests with shadow mode paging (through adding "hap=0" to the domain configuration file). CREDITS ======= Zhenzhong Duan found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== This issue has been fixed in the public xen.git trees. For xen-unstable (#staging, #master), in these git commits: c13b0d65ddedd745 VMX: disable EPT when !cpu_has_vmx_pat 1c84d046735102e0 VMX: remove the problematic set_uc_mode logic 62652c00efa55fb4 VMX: fix cr0.cd handling 86d60e855fe118df VMX: flush cache when vmentry back to UC guest f1c9658d6802c433 Revert "VMX: flush cache when vmentry back to UC guest" (Earliest commit is listed first. Note that f1c9658d reverts not only 86d60e85 but also part of 62652c00.) For Xen 4.2 (#staging-4.2, #stable-4.2): f1e0df14412c VMX: disable EPT when !cpu_has_vmx_pat 644e6c5c7106 VMX: remove the problematic set_uc_mode logic 0fffcffeb594 VMX: fix cr0.cd handling -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTBOHLAAoJEIP+FMlX6CvZOZsIAI1JT1S+76kGilCSef5r2XUx uQ/cFVNjlcACeIF9/ejglQzlfaUcB3fjERdHVuYdiURgiPOwUErJV+0Xg3avFTIj hE9KeUnBl9+vS8OwmO7va4LEZf3xl8LVhirbsepL6eubvmgtmxqf/MeV6kMF5xUU 9t65V80qPNYpA+2SzUnRZFuzGHLd5IkTFUQXfKEzGH3lWu35qvGqyhYWRXHVmz9c 4e49pqO6QenjSlLxvpiW/FpeUxothpq4xxrSom4XsZrBULp4EywU9EkaF5tuFnpg dyzfz3Ap7k0H+5NoHTfof+N7rzaEOyR/QtXIerpcwuf5qMIN0c2HSZBzGdrvlfw= =SC2T -----END PGP SIGNATURE-----