Bug 875668 (CVE-2014-3124)

Summary: VUL-0: CVE-2014-3124: xen: XSA-92: HVMOP_set_mem_type allows invalid P2M entries to be created
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Charles Arnold <carnold>
Status: VERIFIED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, jbeulich, jochen.roeder
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:running:59647:moderate
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2014-04-29 13:47:36 UTC
Xen Security Advisory XSA-92
                              version 2

      HVMOP_set_mem_type allows invalid P2M entries to be created


Public release.


The implementation in Xen of the HVMOP_set_mem_type HVM control
operations attempts to exclude transitioning a page from an
inappropriate memory type.  However, only an inadequate subset of
memory types is excluded.

There are certain other types that don't correspond to a particular
valid page, whose page table translation can be inappropriately
changed (by HVMOP_set_mem_type) from not-present (due to the lack of
valid memory page) to present.  If this occurs, an invalid translation
will be established.


In a configuration where device models run with limited privilege (for
example, stubdom device models), a guest attacker who successfully
finds and exploits an unfixed security flaw in qemu-dm could leverage
the other flaw into a Denial of Service affecting the whole host.

In the more general case, in more abstract terms: a malicious
administrator of a domain privileged with regard to an HVM guest can
cause Xen to crash leading to a Denial of Service.

Arbitrary code execution, and therefore privilege escalation, cannot
be entirely excluded: On a system with a RAM page present immediately
below the 52-bit address boundary, this would be possible.  However,
we are not aware of any systems with such a memory layout.


All Xen versions from 4.1 onwards are vulnerable.

The vulnerability is only exposed to service domains for HVM guests
which have privilege over the guest.  In a usual configuration that
means only device model emulators (qemu-dm).

In the case of HVM guests whose device model is running in an
unrestricted dom0 process, qemu-dm already has the ability to cause
problems for the whole system.  So in that case the vulnerability is
not applicable.

The situation is more subtle for an HVM guest with a stub qemu-dm.
That is, where the device model runs in a separate domain (in the case
of xl, as requested by "device_model_stubdomain_override=1" in the xl
domain configuration file).  The same applies with a qemu-dm in a dom0
process subjected to some kind kernel-based process privilege
limitation (eg the chroot technique as found in some versions of

In those latter situations this issue means that the extra isolation
does not provide as good a defence (against denial of service) as
intended.  That is the essence of this vulnerability.

However, the security is still better than with a qemu-dm running as
an unrestricted dom0 process.  Therefore users with these
configurations should not switch to an unrestricted dom0 qemu-dm.

Finally, in a radically disaggregated system: where the HVM service
domain software (probably, the device model domain image) is not
always supplied by the host administrator, a malicious service domain
administrator can exercise this vulnerability.


Running only PV guests will avoid this vulnerability.

In a radically disaggregated system, restricting HVM service domains
to software images approved by the host administrator will avoid the


This issue was discovered by Jan Beulich.


Applying the appropriate attached patch resolves this issue.

xsa92.patch                 xen-unstable, Xen 4.4.x, Xen 4.3.x
xsa92-4.2.patch             Xen 4.2.x
xsa92-4.1.patch             Xen 4.1.x

$ sha256sum xsa92*.patch
184dcb88dfb4540fca33016ffcfe0f4f557449ab5b4ec6a4bf486c75926d23f3  xsa92.patch
76905398958dfcec98fb5bde2a68c0e86a3ccc9f442a8a658e972937fd75534a  xsa92-4.1.patch
bca98827834f807c787fceb6c719d9d4fe3c40786cb087156829e5e6fb5700d6  xsa92-4.2.patch
Comment 1 Swamp Workflow Management 2014-04-29 22:00:19 UTC
bugbot adjusting priority
Comment 2 Alexander Bergmann 2014-05-02 06:35:53 UTC
CVE-2014-3124 was assigned to this issue.
Comment 3 Alexander Bergmann 2014-05-02 16:18:53 UTC
Charles/Jan are we affected by this? And if yes, which code-streams?
Comment 4 Charles Arnold 2014-05-02 16:35:32 UTC
(In reply to comment #3)
> Charles/Jan are we affected by this? And if yes, which code-streams?

SLE11-SP2 (Xen 4.1 - LTSS only)
SLE11-SP3 (Xen 4.2)
SLE12 (Xen 4.4 - Patched in Beta 6)

os12.3 (Xen 4.2)
os13.1 (Xen 4.3)
Comment 5 Jan Beulich 2014-05-09 12:07:59 UTC
(In reply to comment #3)
> Charles/Jan are we affected by this? And if yes, which code-streams?

In fact it depends on what you mean by "affected": Yes, the problematic code is there. But no, we don't support any form of disaggregation right now.
Comment 6 Sebastian Krahmer 2014-05-20 13:03:41 UTC
That basically means we can close this bug as INVALID?
Comment 7 Jan Beulich 2014-05-20 13:16:52 UTC
I would think so, yes.
Comment 8 Sebastian Krahmer 2014-05-20 14:10:44 UTC
Comment 9 Swamp Workflow Management 2014-10-09 11:10:12 UTC
openSUSE-SU-2014:1281-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 798770,820873,842006,864801,865682,875668,878841,880751,882127,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-3124,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 13.1 (src):    xen-4.3.2_02-27.1
Comment 10 Swamp Workflow Management 2014-12-24 18:05:32 UTC
SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.5.1