Information

AdvisoryXSA-34
Public release 2013-01-22 11:49
Updated 2013-01-22 11:49
Version 2
CVE(s) CVE-2013-0151
Title nested virtualization on 32-bit exposes host crash

Files

advisory-34.txt (signed advisory file)
xsa34-4.2.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2013-0151 / XSA-34
                            version 2

	   nested virtualization on 32-bit exposes host crash

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

When performing nested virtualisation Xen would incorrectly map guest
pages for extended periods using an interface which is only intended
for transient mappings. In some configurations there are a limited
number of slots available for these transient mappings and exhausting
them leads to a host crash and therefore a Denial of Service attack.

IMPACT
======

A malicious guest administrator can, by enabling nested virtualisation
from within the guest, trigger the issue.

Their ability to do this will depend on the number of VCPUs the domain
is configured with. Domains with smaller numbers of VCPUs (e.g. less
than 16) are not able to create sufficient mappings via this method to
trigger the issue.

VULNERABLE SYSTEMS
==================

32 bit hypervisors running HVM guests on either Intel or AMD are
vulnerable.

Only Xen version 4.2.x is vulnerable.

Nested virtualisation was introduced as an experimental feature in Xen
4.2 and therefore versions of Xen prior to that are not vulnerable.

The 32 bit hypervisor has been removed in Xen unstable and therefore
is not vulnerable.

MITIGATION
==========

Running a 64 bit hypervisor or avoiding running HVM guests with
untrusted administrators can avoid the issue.

We strongly recommend running a 64 bit hypervisor on any processor
which supports it. Note that this does not require running a 64 bit
domain 0.

Ensuring that HVM guests with untrusted administrators do not have
more than 16 VCPUs will also avoid the issue.

RESOLUTION
==========

The attached patch avoids this issue by disabling nested HVM support
when running a 32-bit hypervisor.

xsa34-4.2.patch             Xen 4.2.x

$ sha256sum xsa34*.patch
ef75cdcf934003aaced57698a2441c4ba058b968956925eec2d5a100a28db0ae  xsa34-4.2.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQ/ny6AAoJEIP+FMlX6CvZU20IAKVSD/ymPr/xXxVa+QHCPCeQ
MceHY8JE7mRsy1+houbsmQyzq4ASgdrxN70E3QIxUDKXJjJsUEs/0Ju5hhbgZltp
OazXgg+qICgjqjEklRZOCs9iymepjjDYXWhwUccUleTO/2E9/j8znLQGoUqitHrk
APycEQ26+YbmWQAUTuvXcL5ST7oByPH8Ax0bjOnMWpQFY8G2ZBbgczmw3uMnHMRN
NVE8akGv45ey5qEraL+Qe3S5cauVdVPxPodavlDIV0628em9+gFbG4+P5Sgn5TeY
Kv3u8LjWDWRtZEVcHGRUkIYrlgeWD2TGFkqdGCTd7vf3lKMAopNjIGrH80kNmrc=
=gW3M
-----END PGP SIGNATURE-----


Xenproject.org Security Team