Information

Advisory XSA-330
Public release 2020-12-15 12:00
Updated 2020-12-15 12:19
Version 3
CVE(s) CVE-2020-29485
Title oxenstored memory leak in reset_watches

Files

advisory-330.txt (signed advisory file)
xsa330.meta
xsa330.patch
xsa330-4.11.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-29485 / XSA-330
                               version 3

                oxenstored memory leak in reset_watches

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When acting upon a guest XS_RESET_WATCHES request, not all tracking
information is freed.

IMPACT
======

A guest can cause unbounded memory usage in oxenstored.  This can lead
to a system-wide DoS.

VULNERABLE SYSTEMS
==================

All version of Xen since 4.6 are vulnerable.

Only systems using the Ocaml Xenstored implementation are vulnerable.
Systems using the C Xenstored implementaion are not vulnerable.

MITIGATION
==========

There are no mitigations.

Changing to use of C xenstored would avoid this vulnerability.  However,
given the other vulnerabilities in both versions of xenstored being
reported at this time, changing xenstored implementation is not a
recommended approach to mitigation of individual issues.

CREDITS
=======

This issue was discovered by Edwin Török of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa330.patch           Xen 4.12 - xen-unstable
xsa330-4.11.patch      Xen 4.10 - 4.11

$ sha256sum xsa330*
efd95a883f227d63366a745b6007aa0c59cc612573235ba72108c8f89ecef7f3  xsa330.meta
1cda4fd8c91ceb132c5770d90375626521025e078c6ac1b53b68d78815997722  xsa330.patch
87284eaf6df92a78476f49a5587e28e1f5b9ca16ace5ad2e10b4b13abf50e034  xsa330-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/Yqd8MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZXCMH/i2lw6MRNCz3BFqan9PSE0pWGn1LxMpd/kSV0/eH
Y/TjXaCNcvK11d4fc1x8a0Wc3A/bu3uACpFFrcRuWgG5QkMKZRyOkQv7FwW1VaVd
u2NGJVetpfiDZhcSorAdS7CCJZEEt+3a7iFjH9cZKVEwZcS5Cq82UVog05MWLE80
pJ5Cid7K/urD1Zu/v3AGWESuaVYwdvwn6RcePVAs8b0sM2osYXBuKeMwOe1bXaBO
D5qPLEfLfOgLrXi77ssUzfmfRY6Z+LuQAhfug6Lv/n06Y9lyNXewmYalsnobGQSI
FTzWs0QVmFBMY/PEuZv3cRrihTs2ygu9HW7OLO2Bt+VKfcg=
=MqjK
-----END PGP SIGNATURE-----

Xenproject.org Security Team