Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 607840 (XSA-207)

Summary: <app-emulation/xen-4.7.1-r5: memory leak when destroying guest without PT devices
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: alexxy, cardoe, dlan
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://xenbits.xen.org/xsa/advisory-207.html
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-31 18:34:59 UTC 
ISSUE DESCRIPTION
=================

Certain internal state is set up, during domain construction, in
preparation for possible pass-through device assignment.  On ARM and
AMD V-i hardware this setup includes memory allocation.  On guest
teardown, cleanup was erroneously only performed when the guest
actually had a pass-through device assigned.

IMPACT
======

A malicious guest may, by frequently rebooting over extended periods
of time, run the system out of memory, resulting in a Denial of
Service (DoS).

The leak is no more than 4kbytes per guest boot.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 and later are affected.

ARM systems, and x86 AMD systems, are affected.  Intel systems, and
systems without IOMMU/SMMU hardware, are unaffected.

All guest kinds can exploit this vulnerability.

MITIGATION
==========

Limiting the frequency with which a guest is able to reboot, will
limit the memory leak.

Rebooting each host (after migrating its guests) periodically will
reclaim the leaked space.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa207.patch           xen-unstable, Xen 4.8.x, Xen 4.7.x, Xen 4.6.x, Xen 4.5.x
xsa207-4.4.patch       Xen 4.4.x

$ sha256sum xsa207*
d0dd9d5dbb4671156a3e5bc899edb81ad72ed163cc73baa8eae0a4df6ef8741a  xsa207.patch
73660e8914c283dab10a6b7494940a58980275ca62f94777e122c3ade23cdeea  xsa207-4.4.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above is permitted during the
embargo, as is the mitigation of migrating a VM which has no devices
assigned from IOMMU-capable hardware to IOMMU-incapable hardware, even
on public-facing systems with untrusted guest users and administrators.

HOWEVER, moving a VM from AMD to Intel hardware, in response to this
vulnerability, is *not* permitted.  This is because such a change is
visible to guests, and would not normally be expected.

Furthermore: Distribution of updated software is prohibited (except to
other members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-15 12:15:43 UTC 
@ Maintainer(s): Please proceed.
Comment 2 Yixun Lan archtester gentoo-dev 2017-02-16 09:23:25 UTC 
commit 2777fe4b2c8501fd263b4c048e38815b26532e69
Author: Yixun Lan <dlan@gentoo.org>
Date:   Fri Feb 10 17:46:51 2017 +0800

    app-emulation/xen: fix XSA-207

    Xen Security Advisory 207
    memory leak when destroying guest without PT devices

    Gentoo-Bug: 607840

    Package-Manager: Portage-2.3.3, Repoman-2.3.1

:100644 100644 c516bbbcbf... 4b72ae53f1... M    app-emulation/xen/Manifest
:000000 100644 0000000000... b70f6c1cf7... A    app-emulation/xen/xen-4.7.1-r5.ebuild
:000000 100644 0000000000... 2519bf5d85... A    app-emulation/xen/xen-4.8.0-r2.ebuild
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-16 17:57:07 UTC 
Added to an existing GLSA request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 00:18:47 UTC 
This issue was resolved and addressed in
 GLSA 201702-27 at https://security.gentoo.org/glsa/201702-27
by GLSA coordinator Thomas Deutschmann (whissi).