Bug 831120 - (CVE-2013-2212) VUL-0: CVE-2013-2212: xen: XSA-60: Excessive time to disable caching with HVM guests with PCI passthrough
(CVE-2013-2212)
VUL-0: CVE-2013-2212: xen: XSA-60: Excessive time to disable caching with HVM...
Status: RESOLVED FIXED
: 826718 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp3:56441 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-24 12:37 UTC by Marcus Meissner
Modified: 2015-02-19 01:31 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-07-24 12:37:45 UTC
is public, via xen advisory

http://comments.gmane.org/gmane.comp.security.oss.general/10690


             Xen Security Advisory CVE-2013-2212 / XSA-60
                             version 4

   Excessive time to disable caching with HVM guests with PCI passthrough

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

HVM guests are able to manipulate their physical address space such that
processing a subsequent request by that guest to disable caches takes an
extended amount of time changing the cachability of the memory pages assigned
to this guest. This applies only when the guest has been granted access to
some memory mapped I/O region (typically by way of assigning a passthrough
PCI device).

This can cause the CPU which processes the request to become unavailable,
possibly causing the hypervisor or a guest kernel (including the domain 0 one)
to halt itself ("panic").

For reference, as long as no patch implementing an approved alternative
solution is available (there's only a draft violating certain requirements
set by Intel's documentation), the problematic code is the function
vmx_set_uc_mode() (in that it calls ept_change_entry_emt_with_range() with
the full guest GFN range, which the guest has control over, but which also
would be a problem with sufficiently large but not malicious guests).

IMPACT
======

A malicious domain, given access to a device with memory mapped I/O
regions, can cause the host to become unresponsive for a period of
time, potentially leading to a DoS affecting the whole system.

VULNERABLE SYSTEMS
==================

Xen version 3.3 onwards is vulnerable.

Only systems using the Intel variant of Hardware Assisted Paging (aka EPT) are
vulnerable.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted guests, or
by running HVM guests with shadow mode paging (through adding "hap=0" to the
domain configuration file).

CREDITS
=======

Konrad Wilk found the issue as a bug, which on examination by the
Xenproject.org Security Team turned out to be a security problem.

RESOLUTION
==========

There is currently no resolution to this issue.
Comment 1 Swamp Workflow Management 2013-07-24 22:00:39 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2013-07-25 09:26:33 UTC
*** Bug 826718 has been marked as a duplicate of this bug. ***
Comment 3 Jan Beulich 2014-02-17 16:33:44 UTC
Patches to address this have been available for a while, and got backported to all active SLE11 code branches.
Comment 4 Alexander Bergmann 2014-02-19 19:09:33 UTC
The XSA was updated:
http://xenbits.xenproject.org/xsa/advisory-60.html

UPDATES IN VERSION 6
====================

Since the issue of this advisory, various fixes have been applied to
the public Xen trees.
Comment 5 Charles Arnold 2014-02-25 17:55:38 UTC
Xen package submitted for this bug with the following requests:

SUSE:SLE-11-SP3:Update:Test: SR#33408
SUSE:SLE-11-SP2:Update:Test: SR#33409
SUSE:SLE-11-SP1:Update:Teradata:Test: SR#33410
openSUSE:13.1:Update: MR#223835
openSUSE:12.3:Update: MR#223847
Comment 6 Swamp Workflow Management 2014-02-26 09:27:50 UTC
The SWAMPID for this issue is 56439.
This issue was rated as moderate.
Please submit fixed packages until 2014-03-12.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 7 Swamp Workflow Management 2014-03-13 19:48:48 UTC
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2-LTSS (i386, x86_64)
Comment 8 Swamp Workflow Management 2014-03-13 19:51:53 UTC
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, x86_64)
Comment 9 Swamp Workflow Management 2014-03-13 23:04:21 UTC
SUSE-SU-2014:0372-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 831120,833483,842417,846849,848014,849667,849668,853049,860163,860302,861256
CVE References: CVE-2013-2212,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1950
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_06-0.5.1
Comment 10 Swamp Workflow Management 2014-03-13 23:06:48 UTC
SUSE-SU-2014:0373-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 831120,833251,848014,853048,853049,858311,860092,860163,860165,860300,860302,861256,863297
CVE References: CVE-2013-2212,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.4_02-0.7.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.4_02-0.7.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.4_02-0.7.1
Comment 11 Marcus Meissner 2014-03-24 08:31:07 UTC
released then
Comment 12 Swamp Workflow Management 2014-03-25 15:04:20 UTC
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-libs, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 13 Swamp Workflow Management 2014-03-25 18:48:35 UTC
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, x86_64)
Comment 14 Swamp Workflow Management 2014-03-25 22:09:42 UTC
SUSE-SU-2014:0446-1: An update that fixes 47 vulnerabilities is now available.

Category: security (important)
Bug References: 777628,777890,779212,786516,786517,786519,786520,787163,789944,789945,789948,789950,789951,794316,797031,797523,800275,805094,813673,813675,813677,816156,816159,816163,819416,820917,820919,823011,823608,826882,831120,839596,839618,840592,841766,842511,848657,849667,849668,853049,860163
CVE References: CVE-2006-1056,CVE-2007-0998,CVE-2012-3497,CVE-2012-4411,CVE-2012-4535,CVE-2012-4537,CVE-2012-4538,CVE-2012-4539,CVE-2012-4544,CVE-2012-5510,CVE-2012-5511,CVE-2012-5513,CVE-2012-5514,CVE-2012-5515,CVE-2012-5634,CVE-2012-6075,CVE-2012-6333,CVE-2013-0153,CVE-2013-0154,CVE-2013-1432,CVE-2013-1442,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-2211,CVE-2013-2212,CVE-2013-4329,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4494,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_16-0.5.1
Comment 15 Swamp Workflow Management 2014-04-04 14:05:01 UTC
openSUSE-SU-2014:0482-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 831120,853048,853049
CVE References: CVE-2013-2212,CVE-2013-4553,CVE-2013-4554,CVE-2013-6400,CVE-2013-6885
Sources used:
openSUSE 13.1 (src):    xen-4.3.2_01-12.1
Comment 16 Swamp Workflow Management 2014-04-04 14:05:57 UTC
openSUSE-SU-2014:0483-1: An update that solves 16 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 831120,833251,833483,840997,842417,846849,848014,848657,849665,849667,849668,853048,853049,858311,858496,860163,860165,860300,860302,861256,863297
CVE References: CVE-2013-2212,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950
Sources used:
openSUSE 12.3 (src):    xen-4.2.4_02-1.26.2