Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 478280 (CVE-2013-2212) - <app-emulation/xen-4.2.3: "vmx_set_uc_mode()" Disable Caches Denial of Service Vulnerability (CVE-2013-2212) (XSA-60)
Summary: <app-emulation/xen-4.2.3: "vmx_set_uc_mode()" Disable Caches Denial of Servic...
Status: RESOLVED FIXED
Alias: CVE-2013-2212
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://secunia.com/advisories/53797/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-26 19:38 UTC by Agostino Sarubbo
Modified: 2015-04-11 20:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-26 19:38:53 UTC
From ${URL} :

A vulnerability has been reported in Xen, which can be exploited by malicious, local users in a 
guest virtual machine to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "vmx_set_uc_mode()" function, which can lead 
to subsequent requests to disable caches taking excessive time and cause a kernel panic.

Successful exploitation requires HVM guests with PCI passthrough using the Intel variant of 
Hardware Assisted Paging (aka EPT).

The vulnerability is reported versions 3.3 and later.


Solution:
No official solution is currently available.

Provided and/or discovered by:
The vendor credits Zhenzhong Duan.

Original Advisory:
XSA-60:
http://www.openwall.com/lists/oss-security/2013/07/24/4
http://www.openwall.com/lists/oss-security/2013/07/24/5
http://www.openwall.com/lists/oss-security/2013/07/24/6




@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2013-07-30 13:47:51 UTC
Solution Status:

Unpatched

Software:

Xen 3.x

Xen 4.x

CVE Reference(s):

CVE-2013-2212

Perhaps tell when they have one
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-08-30 00:22:13 UTC
CVE-2013-2212 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2212):
  The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling chaches,
  allows local HVM guests with access to memory mapped I/O regions to cause a
  denial of service (CPU consumption and possibly hypervisor or guest kernel
  panic) via a crafted GFN range.
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2013-11-06 10:16:38 UTC
http://xenbits.xen.org/xsa/advisory-60.html

still reads

RESOLUTION
==========

There is currently no resolution to this issue.
Comment 4 Agostino Sarubbo gentoo-dev 2014-02-20 16:05:30 UTC
from http://www.openwall.com/lists/oss-security/2014/02/19/5 :

             Xen Security Advisory CVE-2013-2212 / XSA-60
                             version 6

   Excessive time to disable caching with HVM guests with PCI passthrough

UPDATES IN VERSION 6
====================

Since the issue of this advisory, various fixes have been applied to
the public Xen trees.

ISSUE DESCRIPTION
=================

HVM guests are able to manipulate their physical address space such that
processing a subsequent request by that guest to disable caches takes an
extended amount of time changing the cachability of the memory pages assigned
to this guest. This applies only when the guest has been granted access to
some memory mapped I/O region (typically by way of assigning a passthrough
PCI device).

This can cause the CPU which processes the request to become unavailable,
possibly causing the hypervisor or a guest kernel (including the domain 0 one)
to halt itself ("panic").

IMPACT
======

A malicious domain, given access to a device with memory mapped I/O
regions, can cause the host to become unresponsive for a period of
time, potentially leading to a DoS affecting the whole system.

VULNERABLE SYSTEMS
==================

Xen version 3.3 onwards is vulnerable.

Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are
vulnerable.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted guests, or
by running HVM guests with shadow mode paging (through adding "hap=0" to the
domain configuration file).

CREDITS
=======

Zhenzhong Duan found the issue as a bug, which on examination by the
Xenproject.org Security Team turned out to be a security problem.

RESOLUTION
==========

This issue has been fixed in the public xen.git trees.

For xen-unstable (#staging, #master), in these git commits:
  c13b0d65ddedd745 VMX: disable EPT when !cpu_has_vmx_pat
  1c84d046735102e0 VMX: remove the problematic set_uc_mode logic
  62652c00efa55fb4 VMX: fix cr0.cd handling
  86d60e855fe118df VMX: flush cache when vmentry back to UC guest
  f1c9658d6802c433 Revert "VMX: flush cache when vmentry back to UC guest"
(Earliest commit is listed first.  Note that f1c9658d reverts
not only 86d60e85 but also part of 62652c00.)

For Xen 4.2 (#staging-4.2, #stable-4.2):
  f1e0df14412c VMX: disable EPT when !cpu_has_vmx_pat
  644e6c5c7106 VMX: remove the problematic set_uc_mode logic
  0fffcffeb594 VMX: fix cr0.cd handling
Comment 5 Yixun Lan archtester gentoo-dev 2014-02-21 04:44:49 UTC
> For xen-unstable (#staging, #master), in these git commits:
>   c13b0d65ddedd745 VMX: disable EPT when !cpu_has_vmx_pat
>   1c84d046735102e0 VMX: remove the problematic set_uc_mode logic
>   62652c00efa55fb4 VMX: fix cr0.cd handling
>   86d60e855fe118df VMX: flush cache when vmentry back to UC guest
>   f1c9658d6802c433 Revert "VMX: flush cache when vmentry back to UC guest"
> (Earliest commit is listed first.  Note that f1c9658d reverts
> not only 86d60e85 but also part of 62652c00.)
> 
we didn't package for #staging, #master, so it not affacted

> For Xen 4.2 (#staging-4.2, #stable-4.2):
>   f1e0df14412c VMX: disable EPT when !cpu_has_vmx_pat
>   644e6c5c7106 VMX: remove the problematic set_uc_mode logic
>   0fffcffeb594 VMX: fix cr0.cd handling
for >=xen-4.2.3.ebuild, XSA-60 is already fixed , thanks
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-04-05 03:58:16 UTC
Maintainer(s), Thank you for you for cleanup.

Added to an existing GLSA Request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-04-11 20:37:06 UTC
This issue was resolved and addressed in
 GLSA 201504-04 at https://security.gentoo.org/glsa/201504-04
by GLSA coordinator Yury German (BlueKnight).