Information

Advisory XSA-35
Public release 2013-01-22 11:49
Updated 2013-01-23 18:28
Version 4
CVE(s) CVE-2013-0152
Title Nested HVM exposes host to being driven out of memory by guest

Files

advisory-35.txt (signed advisory file)
xsa35-4.2-with-xsa34.patch
xsa35.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2013-0152 / XSA-35
                           version 4

       Nested HVM exposes host to being driven out of memory by guest

UPDATES IN VERSION 4
====================

Fix corrupt patch xsa35-4.2-with-xsa34.patch.

ISSUE DESCRIPTION
=================

Guests are currently permitted to enable nested virtualization on
themselves. Missing error handling cleanup in the handling code makes
it possible for a guest, particularly a multi-vCPU one, to repeatedly
invoke this operation, thus causing a leak of - over time - unbounded
amounts of memory.

IMPACT
======

A malicious domain can mount a denial of service attack affecting the
whole system.

VULNERABLE SYSTEMS
==================

Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are
not vulnerable.

The vulnerability is only exposed by HVM guests.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

To fix both XSA 34 and XSA 35, first apply xsa34-4.2.patch from XSA 34
and then *also* apply xsa35-4.2-with-xsa34.patch from this advisory.

To fix this issue without addressing XSA 34, use xsa35.patch.

$ sha256sum xsa35*.patch
4a103bf14dd060f702289db539a8c6c69496bdfd1de5d0c0468c3aab7b34f6a5  xsa35-4.2-with-xsa34.patch
e69b01033b0fa4c3d175697566d2f0b161337e8d206654919937f77721dbf866  xsa35.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRACvBAAoJEIP+FMlX6CvZhWgH/AmojPzrSnLIPmP+kyphQeYk
Yg00TDSm+rV8cmG6CE66r1WMibi1S/19yEkE6fJ1bgJtSBgcIqGls8NULPD+JvnH
6WmjktyH85LWcVbqNsjaPYAqyYOQJMMfmLDmW+ksc/SQgEH0zV4xAiA1iLIGJYRT
oEjIXg/m76hjsq9u/njprxHNIJH81K84Jh4wZkR7LIdZUxJgdIRHFcNIPhjNAEfP
k9jsfscuudU1bH7qJc/bJBbZFEnd6mw2zqn+M8UsLwow7A70x2JCAjCbplU1Zbxf
pe1P+E9upNFrsWXQ8O365ve6owaQP/CCcEDS9o2V+Fxc8ZjJ0nYJo3WWKIxQgqk=
=jAmO
-----END PGP SIGNATURE-----

Xenproject.org Security Team