Certain internal state is set up, during domain construction, in
preparation for possible pass-through device assignment. On ARM and
AMD V-i hardware this setup includes memory allocation. On guest
teardown, cleanup was erroneously only performed when the guest
actually had a pass-through device assigned.
A malicious guest may, by frequently rebooting over extended periods
of time, run the system out of memory, resulting in a Denial of
The leak is no more than 4kbytes per guest boot.
Xen versions 3.3 and later are affected.
ARM systems, and x86 AMD systems, are affected. Intel systems, and
systems without IOMMU/SMMU hardware, are unaffected.
All guest kinds can exploit this vulnerability.
Limiting the frequency with which a guest is able to reboot, will
limit the memory leak.
Rebooting each host (after migrating its guests) periodically will
reclaim the leaked space.
Applying the appropriate attached patch resolves this issue.
xsa207.patch xen-unstable, Xen 4.8.x, Xen 4.7.x, Xen 4.6.x, Xen 4.5.x
xsa207-4.4.patch Xen 4.4.x
$ sha256sum xsa207*
DEPLOYMENT DURING EMBARGO
Deployment of the patches described above is permitted during the
embargo, as is the mitigation of migrating a VM which has no devices
assigned from IOMMU-capable hardware to IOMMU-incapable hardware, even
on public-facing systems with untrusted guest users and administrators.
HOWEVER, moving a VM from AMD to Intel hardware, in response to this
vulnerability, is *not* permitted. This is because such a change is
visible to guests, and would not normally be expected.
Furthermore: Distribution of updated software is prohibited (except to
other members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
@ Maintainer(s): Please proceed.
Author: Yixun Lan <firstname.lastname@example.org>
Date: Fri Feb 10 17:46:51 2017 +0800
app-emulation/xen: fix XSA-207
Xen Security Advisory 207
memory leak when destroying guest without PT devices
Package-Manager: Portage-2.3.3, Repoman-2.3.1
:100644 100644 c516bbbcbf... 4b72ae53f1... M app-emulation/xen/Manifest
:000000 100644 0000000000... b70f6c1cf7... A app-emulation/xen/xen-4.7.1-r5.ebuild
:000000 100644 0000000000... 2519bf5d85... A app-emulation/xen/xen-4.8.0-r2.ebuild
Added to an existing GLSA request.
This issue was resolved and addressed in
GLSA 201702-27 at https://security.gentoo.org/glsa/201702-27
by GLSA coordinator Thomas Deutschmann (whissi).