-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory XSA-73
Lock order reversal between page allocation and grant table locks
NOTE REGARDING LACK OF EMBARGO
==============================
While the response to this issue was being prepared by the security
team, the bug was independently discovered by a third party who
publicly disclosed it without realising the security impact.
ISSUE DESCRIPTION
=================
The locks page_alloc_lock and grant_table.lock are not always taken in
the same order. This opens the possibility of deadlock.
IMPACT
======
A malicious guest administrator can deny service to the entire host.
VULNERABLE SYSTEMS
==================
Xen versions going back to at least Xen 3.2 are vulnerable.
To exploit the vulnerability, the attacker must have control of more
than one vcpu, either by controlling a malicious multi-vcpu guest, or
by controlling more than one guest.
MITIGATION
==========
There is no practical mitigation for this issue.
CREDITS
=======
This issue was discovered by Coverity Scan and diagnosed by Andrew
Cooper.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa73-4.3-unstable.patch Xen 4.3.x, xen-unstable
xsa73-4.2.patch Xen 4.2.x
xsa73-4.1.patch Xen 4.1.x
$ sha256sum xsa73*.patch
b828ff085f2dc1f2042bda1dc8a6c52b56ad1c1e3639c3efe32e5706e4ef424f xsa73-4.1.patch
10b809c39582a7f29150f0635b78bc2ce40df0bded963b78f42db3e21775da8c xsa73-4.2.patch
48411cd6b15e4e4fa3c4335298179a4b1094c5e1ae8dc7582bbfb9439d97037b xsa73-4.3-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSc8OAAAoJEIP+FMlX6CvZNoMH/Al1MD/FJXpJ6BnLZH3zV505
wKc1x38OGpM61X2PrMLCqaqZfRTDuUWFkAx4wOdp1OXx6Do8nwtyzXYInNYKHjse
xS5JhBM0GPY+pABVYJ4IDcskKHDCLew/L4RcPK3oDiS9sZACSrVRXGVLnNUupLit
KmCbN1sZkFwUZSCpF+TBH7QbSkk9h2ytTGDaiZKgmrsmL7TMEOP4ikqxjBDC6gM7
Ty6NzaGJUpIx3nIEjFTnggE8UYN0NkQVDjZlhsDJPbcEWCuHXMYNaXrqFjSY68ac
4uDmwmR6exk38AGQhRir2FkwoXg2Gyim4pxWx7SYge/Ssc2Mft1aMNOdz7uCr3c=
=6AqT
-----END PGP SIGNATURE-----
Hash: SHA1
Xen Security Advisory XSA-73
Lock order reversal between page allocation and grant table locks
NOTE REGARDING LACK OF EMBARGO
==============================
While the response to this issue was being prepared by the security
team, the bug was independently discovered by a third party who
publicly disclosed it without realising the security impact.
ISSUE DESCRIPTION
=================
The locks page_alloc_lock and grant_table.lock are not always taken in
the same order. This opens the possibility of deadlock.
IMPACT
======
A malicious guest administrator can deny service to the entire host.
VULNERABLE SYSTEMS
==================
Xen versions going back to at least Xen 3.2 are vulnerable.
To exploit the vulnerability, the attacker must have control of more
than one vcpu, either by controlling a malicious multi-vcpu guest, or
by controlling more than one guest.
MITIGATION
==========
There is no practical mitigation for this issue.
CREDITS
=======
This issue was discovered by Coverity Scan and diagnosed by Andrew
Cooper.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa73-4.3-unstable.patch Xen 4.3.x, xen-unstable
xsa73-4.2.patch Xen 4.2.x
xsa73-4.1.patch Xen 4.1.x
$ sha256sum xsa73*.patch
b828ff085f2dc1f2042bda1dc8a6c52b56ad1c1e3639c3efe32e5706e4ef424f xsa73-4.1.patch
10b809c39582a7f29150f0635b78bc2ce40df0bded963b78f42db3e21775da8c xsa73-4.2.patch
48411cd6b15e4e4fa3c4335298179a4b1094c5e1ae8dc7582bbfb9439d97037b xsa73-4.3-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSc8OAAAoJEIP+FMlX6CvZNoMH/Al1MD/FJXpJ6BnLZH3zV505
wKc1x38OGpM61X2PrMLCqaqZfRTDuUWFkAx4wOdp1OXx6Do8nwtyzXYInNYKHjse
xS5JhBM0GPY+pABVYJ4IDcskKHDCLew/L4RcPK3oDiS9sZACSrVRXGVLnNUupLit
KmCbN1sZkFwUZSCpF+TBH7QbSkk9h2ytTGDaiZKgmrsmL7TMEOP4ikqxjBDC6gM7
Ty6NzaGJUpIx3nIEjFTnggE8UYN0NkQVDjZlhsDJPbcEWCuHXMYNaXrqFjSY68ac
4uDmwmR6exk38AGQhRir2FkwoXg2Gyim4pxWx7SYge/Ssc2Mft1aMNOdz7uCr3c=
=6AqT
-----END PGP SIGNATURE-----