Bugzilla – Bug 831120
VUL-0: CVE-2013-2212: xen: XSA-60: Excessive time to disable caching with HVM guests with PCI passthrough
Last modified: 2015-02-19 01:31:52 UTC
is public, via xen advisory http://comments.gmane.org/gmane.comp.security.oss.general/10690 Xen Security Advisory CVE-2013-2212 / XSA-60 version 4 Excessive time to disable caching with HVM guests with PCI passthrough UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= HVM guests are able to manipulate their physical address space such that processing a subsequent request by that guest to disable caches takes an extended amount of time changing the cachability of the memory pages assigned to this guest. This applies only when the guest has been granted access to some memory mapped I/O region (typically by way of assigning a passthrough PCI device). This can cause the CPU which processes the request to become unavailable, possibly causing the hypervisor or a guest kernel (including the domain 0 one) to halt itself ("panic"). For reference, as long as no patch implementing an approved alternative solution is available (there's only a draft violating certain requirements set by Intel's documentation), the problematic code is the function vmx_set_uc_mode() (in that it calls ept_change_entry_emt_with_range() with the full guest GFN range, which the guest has control over, but which also would be a problem with sufficiently large but not malicious guests). IMPACT ====== A malicious domain, given access to a device with memory mapped I/O regions, can cause the host to become unresponsive for a period of time, potentially leading to a DoS affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 3.3 onwards is vulnerable. Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests, or by running HVM guests with shadow mode paging (through adding "hap=0" to the domain configuration file). CREDITS ======= Konrad Wilk found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== There is currently no resolution to this issue.
bugbot adjusting priority
*** Bug 826718 has been marked as a duplicate of this bug. ***
Patches to address this have been available for a while, and got backported to all active SLE11 code branches.
The XSA was updated: http://xenbits.xenproject.org/xsa/advisory-60.html UPDATES IN VERSION 6 ==================== Since the issue of this advisory, various fixes have been applied to the public Xen trees.
Xen package submitted for this bug with the following requests: SUSE:SLE-11-SP3:Update:Test: SR#33408 SUSE:SLE-11-SP2:Update:Test: SR#33409 SUSE:SLE-11-SP1:Update:Teradata:Test: SR#33410 openSUSE:13.1:Update: MR#223835 openSUSE:12.3:Update: MR#223847
The SWAMPID for this issue is 56439. This issue was rated as moderate. Please submit fixed packages until 2014-03-12. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2-LTSS (i386, x86_64)
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP3 (i386, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, x86_64)
SUSE-SU-2014:0372-1: An update that solves 10 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 831120,833483,842417,846849,848014,849667,849668,853049,860163,860302,861256 CVE References: CVE-2013-2212,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1950 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): xen-4.1.6_06-0.5.1
SUSE-SU-2014:0373-1: An update that solves 12 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 831120,833251,848014,853048,853049,858311,860092,860163,860165,860300,860302,861256,863297 CVE References: CVE-2013-2212,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xen-4.2.4_02-0.7.1 SUSE Linux Enterprise Server 11 SP3 (src): xen-4.2.4_02-0.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xen-4.2.4_02-0.7.1
released then
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-libs, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP1 (i386, x86_64) SLE-SERVER 11-SP1-LTSS (i386, x86_64)
SUSE-SU-2014:0446-1: An update that fixes 47 vulnerabilities is now available. Category: security (important) Bug References: 777628,777890,779212,786516,786517,786519,786520,787163,789944,789945,789948,789950,789951,794316,797031,797523,800275,805094,813673,813675,813677,816156,816159,816163,819416,820917,820919,823011,823608,826882,831120,839596,839618,840592,841766,842511,848657,849667,849668,853049,860163 CVE References: CVE-2006-1056,CVE-2007-0998,CVE-2012-3497,CVE-2012-4411,CVE-2012-4535,CVE-2012-4537,CVE-2012-4538,CVE-2012-4539,CVE-2012-4544,CVE-2012-5510,CVE-2012-5511,CVE-2012-5513,CVE-2012-5514,CVE-2012-5515,CVE-2012-5634,CVE-2012-6075,CVE-2012-6333,CVE-2013-0153,CVE-2013-0154,CVE-2013-1432,CVE-2013-1442,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-2211,CVE-2013-2212,CVE-2013-4329,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4494,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): xen-4.0.3_21548_16-0.5.1
openSUSE-SU-2014:0482-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 831120,853048,853049 CVE References: CVE-2013-2212,CVE-2013-4553,CVE-2013-4554,CVE-2013-6400,CVE-2013-6885 Sources used: openSUSE 13.1 (src): xen-4.3.2_01-12.1
openSUSE-SU-2014:0483-1: An update that solves 16 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 831120,833251,833483,840997,842417,846849,848014,848657,849665,849667,849668,853048,853049,858311,858496,860163,860165,860300,860302,861256,863297 CVE References: CVE-2013-2212,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950 Sources used: openSUSE 12.3 (src): xen-4.2.4_02-1.26.2