ISSUE DESCRIPTION ================= Certain internal state is set up, during domain construction, in preparation for possible pass-through device assignment. On ARM and AMD V-i hardware this setup includes memory allocation. On guest teardown, cleanup was erroneously only performed when the guest actually had a pass-through device assigned. IMPACT ====== A malicious guest may, by frequently rebooting over extended periods of time, run the system out of memory, resulting in a Denial of Service (DoS). The leak is no more than 4kbytes per guest boot. VULNERABLE SYSTEMS ================== Xen versions 3.3 and later are affected. ARM systems, and x86 AMD systems, are affected. Intel systems, and systems without IOMMU/SMMU hardware, are unaffected. All guest kinds can exploit this vulnerability. MITIGATION ========== Limiting the frequency with which a guest is able to reboot, will limit the memory leak. Rebooting each host (after migrating its guests) periodically will reclaim the leaked space. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa207.patch xen-unstable, Xen 4.8.x, Xen 4.7.x, Xen 4.6.x, Xen 4.5.x xsa207-4.4.patch Xen 4.4.x $ sha256sum xsa207* d0dd9d5dbb4671156a3e5bc899edb81ad72ed163cc73baa8eae0a4df6ef8741a xsa207.patch 73660e8914c283dab10a6b7494940a58980275ca62f94777e122c3ade23cdeea xsa207-4.4.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above is permitted during the embargo, as is the mitigation of migrating a VM which has no devices assigned from IOMMU-capable hardware to IOMMU-incapable hardware, even on public-facing systems with untrusted guest users and administrators. HOWEVER, moving a VM from AMD to Intel hardware, in response to this vulnerability, is *not* permitted. This is because such a change is visible to guests, and would not normally be expected. Furthermore: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html
@ Maintainer(s): Please proceed.
commit 2777fe4b2c8501fd263b4c048e38815b26532e69 Author: Yixun Lan <dlan@gentoo.org> Date: Fri Feb 10 17:46:51 2017 +0800 app-emulation/xen: fix XSA-207 Xen Security Advisory 207 memory leak when destroying guest without PT devices Gentoo-Bug: 607840 Package-Manager: Portage-2.3.3, Repoman-2.3.1 :100644 100644 c516bbbcbf... 4b72ae53f1... M app-emulation/xen/Manifest :000000 100644 0000000000... b70f6c1cf7... A app-emulation/xen/xen-4.7.1-r5.ebuild :000000 100644 0000000000... 2519bf5d85... A app-emulation/xen/xen-4.8.0-r2.ebuild
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201702-27 at https://security.gentoo.org/glsa/201702-27 by GLSA coordinator Thomas Deutschmann (whissi).