xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Xen.org security team <security@xen.org>
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
Cc: "Xen.org security team" <security@xen.org>
Subject: Xen Security Advisory 30 (CVE-2012-5514) - Broken error handling in guest_physmap_mark_populate_on_demand()
Date: Mon, 03 Dec 2012 17:51:46 +0000	[thread overview]
Message-ID: <E1TfaBG-000688-Od@xenbits.xen.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 2084 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2012-5514 / XSA-30
                              version 4

    Broken error handling in guest_physmap_mark_populate_on_demand()

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

guest_physmap_mark_populate_on_demand(), before carrying out its actual
operation, checks that the subject GFNs are not in use. If that check fails,
the code prints a message and bypasses the gfn_unlock() matching the
gfn_lock() carried out before entering the loop.

Further, the function is exposed to the use of guests on their own
behalf.  While we believe that this does not cause any further issues,
we have not conducted a thorough enough review to be sure.  Rather, it
should be exposed only to privileged domains.

IMPACT
======

A malicious guest administrator can cause Xen to hang.

VULNERABLE SYSTEMS
==================

All Xen version from 3.4 on are vulnerable.

The vulnerability is only exposed by HVM guests.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa30-4.1.patch             Xen 4.1.x
xsa30-4.2.patch             Xen 4.2.x
xsa30-4.unstable.patch      xen-unstable

$ sha256sum xsa30*.patch
586adda04271e91e42f42bb53636e2aa6fc7379e2c2c4b825e7ec6e34350669e  xsa30-4.1.patch
c410bffb90a551be30fde5ec4593c361b69e9c261878255fdb4f8447e7177418  xsa30-4.2.patch
2270eed8b89e4e28c4c79e5a284203632a7189474d6f0a6152d6cf56b287497b  xsa30-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQvOJ3AAoJEIP+FMlX6CvZjRgIAIF1cvAxVM3nE55HwvIlMWto
ldpam6YtFKAIr5XXBD6IQ0NrghJNNXyeZT4bxSdQAqyqUg9tYgkIMgYJx3kxQuVZ
uhUIyg+mL5bZ+kN1TkHTVPVF1X1D0WbRDD//3V3MV8q6Dy1OEfTaQVb7ZLaNmwv5
tmZ0+D6nrMe24UEr5RjzupBgX5iMeGdKyh87Zg/OM0CG5y8EQOaxlb9i47K/DLDh
l4lc6Jpxz1+tW9B9T/SUDiH37BABturvr1XvDsbencuNZeicLr8y1YKDgf2OyN5L
RfCjSNadtJRBV4BcyGTqdboZfnmavGqmYoDdJg3eSRZ+ls9PZ9hyEMETaRsCeOc=
=MBWJ
-----END PGP SIGNATURE-----

[-- Attachment #2: xsa30-4.1.patch --]
[-- Type: application/octet-stream, Size: 1866 bytes --]

xen: fix error handling of guest_physmap_mark_populate_on_demand()

The only user of the "out" label bypasses a necessary unlock, thus
enabling the caller to lock up Xen.

Also, the function was never meant to be called by a guest for itself,
so rather than inspecting the code paths in depth for potential other
problems this might cause, and adjusting e.g. the non-guest printk()
in the above error path, just disallow the guest access to it.

Finally, the printk() (considering its potential of spamming the log,
the more that it's not using XENLOG_GUEST), is being converted to
P2M_DEBUG(), as debugging is what it apparently was added for in the
first place.

This is XSA-30 / CVE-2012-5514.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

diff -r 5639047d6c9f xen/arch/x86/mm/p2m.c
--- a/xen/arch/x86/mm/p2m.c	Mon Nov 19 09:43:48 2012 +0100
+++ b/xen/arch/x86/mm/p2m.c	Thu Nov 22 17:07:37 2012 +0000
@@ -2412,6 +2412,9 @@ guest_physmap_mark_populate_on_demand(st
     mfn_t omfn;
     int rc = 0;
 
+    if ( !IS_PRIV_FOR(current->domain, d) )
+        return -EPERM;
+
     if ( !paging_mode_translate(d) )
         return -EINVAL;
 
@@ -2430,8 +2433,7 @@ guest_physmap_mark_populate_on_demand(st
         omfn = gfn_to_mfn_query(p2m, gfn + i, &ot);
         if ( p2m_is_ram(ot) )
         {
-            printk("%s: gfn_to_mfn returned type %d!\n",
-                   __func__, ot);
+            P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot);
             rc = -EBUSY;
             goto out;
         }
@@ -2453,10 +2455,10 @@ guest_physmap_mark_populate_on_demand(st
         BUG_ON(p2m->pod.entry_count < 0);
     }
 
+out:
     audit_p2m(p2m, 1);
     p2m_unlock(p2m);
 
-out:
     return rc;
 }
 

[-- Attachment #3: xsa30-4.2.patch --]
[-- Type: application/octet-stream, Size: 1858 bytes --]

xen: fix error handling of guest_physmap_mark_populate_on_demand()

The only user of the "out" label bypasses a necessary unlock, thus
enabling the caller to lock up Xen.

Also, the function was never meant to be called by a guest for itself,
so rather than inspecting the code paths in depth for potential other
problems this might cause, and adjusting e.g. the non-guest printk()
in the above error path, just disallow the guest access to it.

Finally, the printk() (considering its potential of spamming the log,
the more that it's not using XENLOG_GUEST), is being converted to
P2M_DEBUG(), as debugging is what it apparently was added for in the
first place.

This is XSA-30 / CVE-2012-5514.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

diff -r 7c4d806b3753 xen/arch/x86/mm/p2m-pod.c
--- a/xen/arch/x86/mm/p2m-pod.c	Fri Nov 16 15:56:14 2012 +0000
+++ b/xen/arch/x86/mm/p2m-pod.c	Thu Nov 22 17:02:32 2012 +0000
@@ -1117,6 +1117,9 @@ guest_physmap_mark_populate_on_demand(st
     mfn_t omfn;
     int rc = 0;
 
+    if ( !IS_PRIV_FOR(current->domain, d) )
+        return -EPERM;
+
     if ( !paging_mode_translate(d) )
         return -EINVAL;
 
@@ -1135,8 +1138,7 @@ guest_physmap_mark_populate_on_demand(st
         omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL);
         if ( p2m_is_ram(ot) )
         {
-            printk("%s: gfn_to_mfn returned type %d!\n",
-                   __func__, ot);
+            P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot);
             rc = -EBUSY;
             goto out;
         }
@@ -1160,9 +1162,9 @@ guest_physmap_mark_populate_on_demand(st
         pod_unlock(p2m);
     }
 
+out:
     gfn_unlock(p2m, gfn, order);
 
-out:
     return rc;
 }
 

[-- Attachment #4: xsa30-unstable.patch --]
[-- Type: application/octet-stream, Size: 1749 bytes --]

xen: fix error handling of guest_physmap_mark_populate_on_demand()

The only user of the "out" label bypasses a necessary unlock, thus
enabling the caller to lock up Xen.

Also, the function was never meant to be called by a guest for itself,
so rather than inspecting the code paths in depth for potential other
problems this might cause, and adjusting e.g. the non-guest printk()
in the above error path, just disallow the guest access to it.

Finally, the printk() (considering its potential of spamming the log,
the more that it's not using XENLOG_GUEST), is being converted to
P2M_DEBUG(), as debugging is what it apparently was added for in the
first place.

This is XSA-30 / CVE-2012-5514.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

--- a/xen/arch/x86/mm/p2m-pod.c
+++ b/xen/arch/x86/mm/p2m-pod.c
@@ -1117,6 +1117,9 @@ guest_physmap_mark_populate_on_demand(st
     mfn_t omfn;
     int rc = 0;
 
+    if ( !IS_PRIV_FOR(current->domain, d) )
+        return -EPERM;
+
     if ( !paging_mode_translate(d) )
         return -EINVAL;
 
@@ -1131,8 +1134,7 @@ guest_physmap_mark_populate_on_demand(st
         omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL);
         if ( p2m_is_ram(ot) )
         {
-            printk("%s: gfn_to_mfn returned type %d!\n",
-                   __func__, ot);
+            P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot);
             rc = -EBUSY;
             goto out;
         }
@@ -1156,9 +1158,9 @@ guest_physmap_mark_populate_on_demand(st
         pod_unlock(p2m);
     }
 
+out:
     gfn_unlock(p2m, gfn, order);
 
-out:
     return rc;
 }
 

[-- Attachment #5: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

                 reply	other threads:[~2012-12-03 17:51 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=E1TfaBG-000688-Od@xenbits.xen.org \
    --to=security@xen.org \
    --cc=oss-security@lists.openwall.com \
    --cc=xen-announce@lists.xen.org \
    --cc=xen-devel@lists.xen.org \
    --cc=xen-users@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).