840593 – (CVE-2013-4356) VUL-0: CVE-2013-4356: XSA-64: xen: Memory accessible by 64-bit PV guests under live migration

Bug 840593 (CVE-2013-4356) - VUL-0: CVE-2013-4356: XSA-64: xen: Memory accessible by 64-bit PV guests under live migration

Summary: VUL-0: CVE-2013-4356: XSA-64: xen: Memory accessible by 64-bit PV guests unde...

Status:	RESOLVED FIXED

Alias:	CVE-2013-4356

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-09-16 14:24 UTC by Alexander Bergmann
Modified:	2013-11-27 21:34 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Swamp Workflow Management 2013-09-16 22:00:39 UTC

bugbot adjusting priority

Comment 4 Marcus Meissner 2013-10-01 07:36:28 UTC

is public now

              Xen Security Advisory CVE-2013-4356 / XSA-64
                             version 3

      Memory accessible by 64-bit PV guests under live migration

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

On some hardware, during live migration of 64-bit PV guests, some
parts of the guest's shadow pagetables are mistakenly filled in with
hypervisor mappings.  This causes Xen to crash when those mappings are
later cleared.  Before the crash, a malicious guest could use
hypercalls to cause Xen to read and write the parts of memory pointed
to by the stray mappings.

IMPACT
======

A malicious 64-bit PV guest, on a vulnerable host system, that can
arrange for itself to be live-migrated, could read or write memory at
high physical addresses on the host.

Note that once such a guest begins live migration the host is likely
to eventually crash, either when the live migration completes or on an
earlier page fault.  This crash could be avoided if the malicious
guest uses its improperly escalated privilege to prevent it.

VULNERABLE SYSTEMS
==================

Xen 4.3.x and xen-unstable are vulnerable.
Xen 4.2.x and earlier releases are not vulnerable.

In addition, only hosts with RAM extending past 5TB are affected.

On any host that is affected (and has not yet been successfully
attacked), live migration of a 64-bit PV guest will deterministically
crash the host.  If you can migrate a 64-bit PV guest from from host A
to host B, without crashing host A, then host A is not affected by
this bug.

MITIGATION
==========

Running only HVM and 32-bit PV guests or preventing live migration of
64-bit PV guests will avoid this issue.

CREDITS
=======

Andrew Cooper found the issue as a bug, which on examination by the
Xenproject.org Security Team turned out to be a security problem.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa64.patch        xen-unstable, xen-4.3

$ sha256sum xsa64.patch
061396916de992c43b8637909d315581589e5fc28f238aca6822947b45445a47  xsa64.patch
$

Comment 6 Marcus Meissner 2013-11-27 21:34:42 UTC

only affects 13.1 and factory.

verified it was already fixed in shipping 13.1