-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory XSA-181
arm: Host crash caused by VMID exhaustion
ISSUE DESCRIPTION
=================
VMIDs are a finite hardware resource, and allocated as part of domain
creation. If no free VMIDs are available when trying to create a new domain,
a bug in the error path causes a NULL pointer to be used, resulting in a Data
Abort and host crash.
IMPACT
======
Attempting to create too many concurrent domains causes a host crash rather
than a graceful error. A malicious device driver domain can hold references
to domains, preventing its VMID being released.
VULNERABLE SYSTEMS
==================
Xen versions 4.4 and later are affected. Older Xen versions are unaffected.
x86 systems are not affected.
Only arm systems with less-privileged device driver domains can expose this
vulnerability.
MITIGATION
==========
There is no mitigation. Not using driver domains reclassifies the problem,
but does not fix it.
NOTE REGARDING LACK OF EMBARGO
==============================
The crash was discussed publicly on xen-devel, before it was appreciated
that there was a security problem.
CREDITS
=======
This issue was discovered by Aaron Cornelius of DornerWorks.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa181.patch xen-unstable, Xen 4.6.x, 4.5.x
xsa181-4.4.patch Xen 4.4.x
$ sha256sum xsa181*
6756fcf44446675e5277f6d6c0e8a0aaa51a7909ad9a55af89a09367fded8733 xsa181.patch
97a90c7cb42466647622cb2ed98de531b7ba2e174a1bc639a32a6f1b626d503f xsa181-4.4.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJXUVIbAAoJEIP+FMlX6CvZAe8IAIwe1A/05KM9PfJTCwb23WEs
pfSiEZy7KzmavYwzV4TLwzWuCNzkRAuEejvQ9dTFnk8ZBkCZIbAaMoCPJljK/8gg
oBcn0cXE9Kz9kWBk+JCWHynboVh010p+7DGlcvrxmAwxJCUjGy4YcajDZ4uGJoHA
pgJxIk/w4CIzF+AQYm7bRW8dHF3yym4V6dmR4pGqXeYS41XbMqpEenGBggoBeH+C
TJLUzaNZfATcPK5NUCqBD7IiQtHyYJT8xEtIKDH4hfjEzffydHbErDb/lKk3fxK0
ECzrhdWMExnkUX4VkC393QaqGf78P6sa+psfZt4I7DDFDI2uEvXYmgVXjOuvSpg=
=hUSO
-----END PGP SIGNATURE-----
Hash: SHA1
Xen Security Advisory XSA-181
arm: Host crash caused by VMID exhaustion
ISSUE DESCRIPTION
=================
VMIDs are a finite hardware resource, and allocated as part of domain
creation. If no free VMIDs are available when trying to create a new domain,
a bug in the error path causes a NULL pointer to be used, resulting in a Data
Abort and host crash.
IMPACT
======
Attempting to create too many concurrent domains causes a host crash rather
than a graceful error. A malicious device driver domain can hold references
to domains, preventing its VMID being released.
VULNERABLE SYSTEMS
==================
Xen versions 4.4 and later are affected. Older Xen versions are unaffected.
x86 systems are not affected.
Only arm systems with less-privileged device driver domains can expose this
vulnerability.
MITIGATION
==========
There is no mitigation. Not using driver domains reclassifies the problem,
but does not fix it.
NOTE REGARDING LACK OF EMBARGO
==============================
The crash was discussed publicly on xen-devel, before it was appreciated
that there was a security problem.
CREDITS
=======
This issue was discovered by Aaron Cornelius of DornerWorks.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa181.patch xen-unstable, Xen 4.6.x, 4.5.x
xsa181-4.4.patch Xen 4.4.x
$ sha256sum xsa181*
6756fcf44446675e5277f6d6c0e8a0aaa51a7909ad9a55af89a09367fded8733 xsa181.patch
97a90c7cb42466647622cb2ed98de531b7ba2e174a1bc639a32a6f1b626d503f xsa181-4.4.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJXUVIbAAoJEIP+FMlX6CvZAe8IAIwe1A/05KM9PfJTCwb23WEs
pfSiEZy7KzmavYwzV4TLwzWuCNzkRAuEejvQ9dTFnk8ZBkCZIbAaMoCPJljK/8gg
oBcn0cXE9Kz9kWBk+JCWHynboVh010p+7DGlcvrxmAwxJCUjGy4YcajDZ4uGJoHA
pgJxIk/w4CIzF+AQYm7bRW8dHF3yym4V6dmR4pGqXeYS41XbMqpEenGBggoBeH+C
TJLUzaNZfATcPK5NUCqBD7IiQtHyYJT8xEtIKDH4hfjEzffydHbErDb/lKk3fxK0
ECzrhdWMExnkUX4VkC393QaqGf78P6sa+psfZt4I7DDFDI2uEvXYmgVXjOuvSpg=
=hUSO
-----END PGP SIGNATURE-----