Bugzilla – Bug 922705
VUL-0: CVE-2015-2752: xen: XSA-125: Long latency MMIO mapping operations are not preemptible
Last modified: 2015-06-22 10:08:34 UTC
Checked versions: SLE 10 SP3: 3.2.3 affected. SLE 11 SP1: 4.0.3 affected. SLE 11 SP3: 4.2.5 affected. SLE 12 GA: 4.4.1 affected.
bugbot adjusting priority
public now
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2752 / XSA-125 version 3 Long latency MMIO mapping operations are not preemptible UPDATES IN VERSION 3 ==================== CVE assigned. Public release. ISSUE DESCRIPTION ================= The XEN_DOMCTL_memory_mapping hypercall allows long running operations without implementing preemption. This hypercall is used by the device model as part of the emulation associated with configuration of PCI devices passed through to HVM guests and is therefore indirectly exposed to those guests. This can cause a physical CPU to become busy for a significant period, leading to a host denial of service in some cases. If a host denial of service is not triggered then it may instead be possible to deny service to the domain running the device model, e.g. domain 0. This hypercall is also exposed more generally to all toolstacks. However the uses of it in libxl based toolstacks are not believed to open up any avenue of attack from an untrusted guest. Other toolstacks may be vulnerable however. IMPACT ====== The vulnerability is exposed via HVM guests which have a PCI device assigned to them. A malicious HVM guest in such a configuration can mount a denial of service attack affecting the whole system via its associated device model (qemu-dm). A guest is able to trigger this hypercall via operations which it is legitimately expected to perform, therefore running the device model as a stub domain does not offer protection against the host denial of service issue. However it does offer some protection against secondary issues such as denial of service against dom0. VULNERABLE SYSTEMS ================== The issue is exposed via x86 HVM VMs which have been assigned a PCI device. x86 PV domains, x86 HVM domains without passthrough devices and ARM domains do not expose this vulnerability. Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. MITIGATION ========== Running only PV guests will avoid this issue. This issue can be avoided by not assigning devices with large MMIO regions to untrusted HVM guests. CREDITS ======= This issue was discovered by Konrad Rzeszutek Wilk of Oracle. RESOLUTION Applying the appropriate attached patch resolves this issue. xsa125.patch Xen 4.5.x, xen-unstable xsa125-4.4.patch Xen 4.4.x xsa125-4.3.patch Xen 4.3.x xsa125-4.2.patch Xen 4.2.x $ sha256sum xsa125*.patch be0c7cceb1af4b7b1341f37c1e20cf804ea3ac7d3c2ca2e5599f936479d5e0de xsa125.patch 5f081407c2955787c6e40daa847f3c4131694dff3bb0bc0ee55495f555c7bb52 xsa125-4.2.patch 3b0641ef2a23f12872267940c408097cb353e57a6e0396a64cdf13592a14f65b xsa125-4.3.patch 2180e657b34d8628d4e0157adf2a36904bb6feaf55d53338e4457ef77d867a31 xsa125-4.4.patch $
Submitted. SLE-12: MR#53894 SLE-11-SP3: SR#53976 SLE-11-SP2: SR#53978 SLE-11-SP1: SR#53980 SLE-11-SP1:Teradata: SR#53982 SLE-10-SP4: SR#53984 SLE-10-SP3: SR#53986
SUSE-SU-2015:0701-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 921842,922705,922706,922709,923758 CVE References: CVE-2015-2751,CVE-2015-2752,CVE-2015-2756 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): xen-4.4.2_02-15.1 SUSE Linux Enterprise Server 12 (src): xen-4.4.2_02-15.1 SUSE Linux Enterprise Desktop 12 (src): xen-4.4.2_02-15.1
openSUSE-SU-2015:0732-1: An update that solves 7 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 861318,895528,901488,903680,910254,918995,918998,919098,919464,919663,922705,922706 CVE References: CVE-2014-3615,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152,CVE-2015-2752,CVE-2015-2756 Sources used: openSUSE 13.1 (src): xen-4.3.4_02-41.1
SUSE-SU-2015:0744-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 918995,918998,919464,922705 CVE References: CVE-2013-3495,CVE-2014-3615,CVE-2014-5146,CVE-2014-5149,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361,CVE-2015-2044,CVE-2015-2045 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): xen-3.2.3_17040_46-0.13.1
SUSE-SU-2015:0745-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 918995,918998,919464,922705,922706 CVE References: CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2756 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): xen-4.0.3_21548_18-0.15.1
SUSE-SU-2015:0746-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 907755,918995,918998,919464,922705,922706 CVE References: CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2756 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): xen-4.1.6_08-0.9.1
SUSE-SU-2015:0747-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 918995,918998,919341,919464,922705,922706 CVE References: CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2756 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xen-4.2.5_04-0.9.1 SUSE Linux Enterprise Server 11 SP3 (src): xen-4.2.5_04-0.9.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xen-4.2.5_04-0.9.1
SUSE-SU-2015:0923-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 922705,922709,927967,929339 CVE References: CVE-2015-2751,CVE-2015-2752,CVE-2015-3340,CVE-2015-3456 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): xen-4.4.2_04-18.1 SUSE Linux Enterprise Server 12 (src): xen-4.4.2_04-18.1 SUSE Linux Enterprise Desktop 12 (src): xen-4.4.2_04-18.1
reelased
openSUSE-SU-2015:1092-1: An update that solves 17 vulnerabilities and has 10 fixes is now available. Category: security (important) Bug References: 861318,882089,895528,901488,903680,906689,910254,912011,918995,918998,919098,919464,919663,921842,922705,922706,922709,923758,927967,929339,931625,931626,931627,931628,932770,932790,932996 CVE References: CVE-2014-3615,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152,CVE-2015-2751,CVE-2015-2752,CVE-2015-2756,CVE-2015-3209,CVE-2015-3340,CVE-2015-3456,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164 Sources used: openSUSE 13.2 (src): xen-4.4.2_06-23.1