Information

AdvisoryXSA-354
Public release 2020-12-15 12:00
Updated 2020-12-15 12:19
Version 4
CVE(s) CVE-2020-29487
Title XAPI: guest-triggered excessive memory usage

Files

advisory-354.txt (signed advisory file)
xsa354-1-ls_lR-factor-out-dir-concatenation.patch
xsa354-2-ls_lR-refactor-use-fold.patch
xsa354-3-ls_lR-separate-recursion-into-separate-funct.patch
xsa354-4-ls_lR-add-quota.patch
xsa354-5-ls_lR-limit-depth.patch
xsa354-6-exclude-attr-os-hotfixes-from-ls_lR.patch
xsa354-7-read-important-xenstore-entries-first.patch
xsa354-8-refactor-attr-os-hotfixes-exclusion.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-29487 / XSA-354
                               version 4

             XAPI: guest-triggered excessive memory usage

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

Certain xenstore keys provide feedback from the guest, and are therefore
watched by toolstack.  Specifically, keys are watched by xenopsd, and
data are forward via RPC through message-switch to xapi.

The watching logic in xenopsd sends one RPC update containing all data,
any time any single xenstore key is updated, and therefore has O(N^2)
time complexity.  Furthermore, message-switch retains recent (currently
128) RPC messages for diagnostic purposes, yielding O(M*N) space
complexity.

The quantity of memory a single guest can monopolise is bounded by
xenstored quota, but the quota is fairly large.  It is believed to be in
excess of 1G per malicious guest.

In practice this manifests as a host denial of service, either through
message-switch thrashing against swap, or OOM'ing entirely, depending on
dom0's configuration.

This series introduces quotas in xenopsd to limit the quantity of keys
which result in RPC traffic.

IMPACT
======

A buggy or malicious guest can cause unreasonable memory usage in dom0,
resulting in a host denial of service.

VULNERABLE SYSTEMS
==================

All versions of XAPI are vulnerable.

Systems which are not using the XAPI toolstack are not vulnerable.

MITIGATION
==========

There are no mitigations available.

CREDITS
=======

This issue was discovered by Edwin Török of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa354-*.patch         xenopsd master

$ sha256sum xsa354*
66d29c38ce4fa6c77a4853a0f0345f3bf1fcbe11703090e1dbfa83257564de42  xsa354-1-ls_lR-factor-out-dir-concatenation.patch
0686465119b4442d839d59c66c41d02ce6b4cfa9c82234e0aefcaffbb7985ee4  xsa354-2-ls_lR-refactor-use-fold.patch
fb60812f1230526f9c3be77d4f0c8c08903b21aa5c449056dc16b1181720b3cb  xsa354-3-ls_lR-separate-recursion-into-separate-funct.patch
41f221007abd89c8d24dacb7b0ff96109427c1c84eae75b7245bb287a0938d81  xsa354-4-ls_lR-add-quota.patch
fcd4abddf18bc5b875ec28213f3138f1de395e91076b5b1a828353bc8b19d8ed  xsa354-5-ls_lR-limit-depth.patch
1ff82640a446407492904b50b05fc903a70d570620cd20a21493c9240b38f8be  xsa354-6-exclude-attr-os-hotfixes-from-ls_lR.patch
b1b2f96b93d41201ddfdb093660f06f8bce5461a715cfeb7110f0194b74c93cb  xsa354-7-read-important-xenstore-entries-first.patch
6908e957c299fe57dcd5c5c93162d135326221f1e66ac4b43b771ebd63bae35d  xsa354-8-refactor-attr-os-hotfixes-exclusion.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/YqeAMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZA0MIAK9VhZjA0/adgq4TY2DXFjIZKg6Q9ZE9cBZcgv4l
XhGpAwxeYKU76KFEf1si3KCGV7xzHG0tnwkEgfpeldnGCwsgSkJPRNFvgA/7iuW0
3hCAdRioSU9Rm3h2gQdIDBAppvD0NhkkjQU/XcrB7qeOjfYrdvH5gS+NSRN/z50V
g02kUrWypShC0+lvgkJ0zXfl0CAQSs27BMd2vlj5BuOP573IrbJh6NHuRMF9Dm9J
48ny910Ctws5FSbe25ZgZHERZnwDnwe/oGP1ws12wZbU8ToP5t7tHnSQGNgwXPWT
Xpoecr5Iqek2CUHPEd8KKKS4B5frJHq+Xp8CAfnX8KT8VH8=
=y19v
-----END PGP SIGNATURE-----


Xenproject.org Security Team