-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4494 / XSA-73 version 3 Lock order reversal between page allocation and grant table locks UPDATES IN VERSION 3 ==================== The issue has been assigned CVE-2013-4494. NOTE REGARDING LACK OF EMBARGO ============================== While the response to this issue was being prepared by the security team, the bug was independently discovered by a third party who publicly disclosed it without realising the security impact. ISSUE DESCRIPTION ================= The locks page_alloc_lock and grant_table.lock are not always taken in the same order. This opens the possibility of deadlock. IMPACT ====== A malicious guest administrator can deny service to the entire host. VULNERABLE SYSTEMS ================== Xen versions going back to at least Xen 3.2 are vulnerable. To exploit the vulnerability, the attacker must have control of more than one vcpu, either by controlling a malicious multi-vcpu guest, or by controlling more than one guest. MITIGATION ========== There is no practical mitigation for this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa73-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa73-4.2.patch Xen 4.2.x xsa73-4.1.patch Xen 4.1.x $ sha256sum xsa73*.patch 519eb1d2815c41d73c775324f43d1a7d75615775194bd0f6584147b45d04250b xsa73-4.1.patch 9eab1db170dc13bdd4da76bc2184399f705d124acd14b364428f012ea5c3a281 xsa73-4.2.patch 1c070e66d1bea3c109f22ea4db2e8828f0f4b016d51d6d88667b775eec340514 xsa73-4.3-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSd53SAAoJEIP+FMlX6CvZAMgH/1JgLDhHB5A7w0iVJbHSv4ff 9oxmch/DfMFj1A+Cuhq5YU25I19ocSiqiEU4n7IuADCH4UCetH6UMXqRQ7qj/HPq RZTGxmPkBNkIVkZd9IqRZEoWy4ENDhdDOa8ViNLqXCTCra0swfeTAav+BtTanpFQ jca18Ry0o4qo9A/ZNZniAgMV1OXxZkETRm6jVc7tCNzx0daPyAo4xesUDLNJ/EcW yYv7pIRY1Ct7X5CD3carkRBm0k3PmZ0IClZf5aBWKV8PE95oOk/m8HBIPFGvBp7o cPBHt7Nra2pWDG76Vtzg0QZuV9XPwaRtPk4U4w9s9K4BpRwDza8mXCBgaRLX9aU= =RphO -----END PGP SIGNATURE-----