Bug 889526 - (CVE-2014-5146) VUL-0: CVE-2014-5146,CVE-2014-5149: xen: XSA-97 Long latency virtual-mmu operations are not preemptible
(CVE-2014-5146)
VUL-0: CVE-2014-5146,CVE-2014-5149: xen: XSA-97 Long latency virtual-mmu oper...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
. CVSSv2:NVD:CVE-2014-5146:4.7:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-30 09:08 UTC by Victor Pereira
Modified: 2016-11-22 17:18 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch for hap-4.2 (15.04 KB, patch)
2014-07-30 09:10 UTC, Victor Pereira
Details | Diff
hap-4.2-prereq (15.30 KB, patch)
2014-07-30 09:11 UTC, Victor Pereira
Details | Diff
hap-4.3 (15.01 KB, patch)
2014-07-30 09:12 UTC, Victor Pereira
Details | Diff
hap-4.4 (15.04 KB, patch)
2014-07-30 09:12 UTC, Victor Pereira
Details | Diff
hap-unstable (15.00 KB, patch)
2014-07-30 09:13 UTC, Victor Pereira
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-07-30 09:08:50 UTC
Xen Security Advisory XSA-97

        Long latency virtual-mmu operations are not preemptible


ISSUE DESCRIPTION
=================

Some MMU virtualization operations on HVM guests must process every
page assigned to a guest.  For larger guests, this can tie up a vcpu
for a significant amount of time, as the operations are not
preemptible.

IMPACT
======

A malicious HVM guest with a large allocation of shadow/p2m RAM
can mount a denial of service attack affecting the whole system.

VULNERABLE SYSTEMS
==================

ARM systems are not vulnerable.

All x86 Xen versions are vulnerable.

The vulnerability is only exposed to HVM guests.

In the default configuration, the vulnerability is only exposed to
large guests (guests assigned more than 128Gbytes of memory).

MITIGATION
==========

Running only PV guests, or only smaller guests will avoid this
problem.

Since the vulnerability actually depends on the guest's shadow memory,
if you are overriding the default allocation (which is about 0.5% of
guest RAM) by using the "shadow_memory=" VM configuration file option,
you should adjust your idea of a 'smaller' guest accordingly.

RESOLUTION
==========

For HAP-enabled guests, the attached patch resolves ths issue.

HAP (Hardware Assisted Paging, aka nested paging) is enabled by
default if the system is suitably capable.  The VM configuration file
can disable or enable HAP explicitly by setting "hap=0" or "hap=1".
HAP can also be globally disabled by specifying "hap=off" on the
hypervisor command line.

There is no resolution for guests using shadow pagetables (i.e., not
using HAP) at this time.

xsa97-hap-unstable.patch                             xen-unstable
xsa97-hap-4.4.patch                                  Xen 4.4.x
xsa97-hap-4.3.patch                                  Xen 4.3.x
xsa97-hap-4.2-prereq.patch, xsa97-hap-4.2.patch      Xen 4.2.x

$ sha256sum xsa97*.patch
c9e0e9f136db1b976ea371be10430598a7f21b4a33b4849f2081566657ff5da1  xsa97-hap-4.2.patch
c525a99263eed6f93fad685ae9dad1ae10c8930345ec52659211541640797bb5  xsa97-hap-4.2-prereq.patch
cfab6521221a5058a0dfbb6d59c3c4cd0e7f4239bb6cbee2723de22c33caafda  xsa97-hap-4.3.patch
138511f2fd8362366e09dda18443387886ec4397eecc1a2f6a7e85643bd415e8  xsa97-hap-4.4.patch
58c56daa01f20be0317700d383dfbba8de35695bd38a9860c0c0463181d76351  xsa97-hap-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJT1nUMAAoJEIP+FMlX6CvZvHsH/1JfVSYHi9uQGnkQQLEKWvz6
2x4gt2D5o009ZiK42fHic51i5pF25lpaGQBXp5jv5IECok0Ko6YKX2ESJWkWjThO
SRFikiKLzN2+1Aw0v6d/EFV0JE8QO7UjwBVdFCjUPInbXVzs7pAGXYbzV8275Niy
nUJv85y9g7tOtLLdkG3sWzs0a6uamf1LLifx3hrQWPstR5NRNRxrFfgzKUhsoaQQ
CabXJ7sMdP5hPlwV85OugXMzIVT70NHKKh1i307I3x3sPuvyrMrm6dJxxzV+ezHz
gx9hDh4SiUZG0eB7LWi16g/yfvEyEDdGZJHCE7RwkaWoZg+AnW05ZHSg/dpiA4Q=
=YRTW
-----END PGP SIGNATURE-----
Comment 2 Victor Pereira 2014-07-30 09:10:57 UTC
Created attachment 600299 [details]
patch for hap-4.2
Comment 3 Victor Pereira 2014-07-30 09:11:33 UTC
Created attachment 600301 [details]
hap-4.2-prereq
Comment 4 Victor Pereira 2014-07-30 09:12:01 UTC
Created attachment 600302 [details]
hap-4.3
Comment 5 Victor Pereira 2014-07-30 09:12:45 UTC
Created attachment 600303 [details]
hap-4.4
Comment 6 Victor Pereira 2014-07-30 09:13:39 UTC
Created attachment 600304 [details]
hap-unstable
Comment 7 Swamp Workflow Management 2014-07-30 22:00:24 UTC
bugbot adjusting priority
Comment 10 Jan Beulich 2014-08-29 09:13:47 UTC
I guess you're inquiring about the progress of this? The patches originally provided are making incorrect assumptions and hence need re-working (sadly none of the pre-disclosure list members, including us, noticed the problem, yet the upstream regression testing spotted the issue immediately after the patches went into the respective trees). Finding a solution turns out somewhat problematic (as to not cause other unintended side effects), and hence is taking some more time.
Comment 11 Jan Beulich 2014-08-29 09:14:32 UTC
And the shadow mode side of this still didn't get addressed at all.
Comment 12 SMASH SMASH 2014-09-09 14:15:21 UTC
Affected packages:

SLE-10-SP3-TERADATA: xen
SLE-11-SP1-TERADATA: xen
SLE-11-SP3: xen
SLE-11-SP3-PRODUCTS: xen
SLE-11-SP3-UPTU: xen
Comment 13 Swamp Workflow Management 2015-01-09 11:05:41 UTC
SUSE-SU-2015:0022-1: An update that solves 8 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 826717,866902,882089,889526,896023,897614,897906,898772,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.1_08-5.2
SUSE Linux Enterprise Server 12 (src):    xen-4.4.1_08-5.2
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.1_08-5.2
Comment 14 Swamp Workflow Management 2015-02-06 10:06:11 UTC
openSUSE-SU-2015:0226-1: An update that solves 11 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 826717,866902,882089,889526,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439,906996,910681
CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361
Sources used:
openSUSE 13.1 (src):    xen-4.3.3_04-34.1
Comment 15 Marcus Meissner 2015-02-10 10:47:58 UTC
11 seems not fixed yet
Comment 16 Swamp Workflow Management 2015-02-11 14:06:19 UTC
openSUSE-SU-2015:0256-1: An update that solves 11 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 826717,866902,882089,889526,896023,897906,898772,900292,901317,903357,903359,903850,903967,903970,904255,905465,905467,906439,906996,910681
CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361
Sources used:
openSUSE 13.2 (src):    xen-4.4.1_08-9.1
Comment 17 Swamp Workflow Management 2015-02-23 15:55:28 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-03-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60766
Comment 18 Charles Arnold 2015-10-08 14:01:47 UTC
The patches provided by upstream that address this issue have been taken
and committed to all the relevant SLE and openSUSE branches. There have
already been maintenance releases containing them on both SLE and openSUSE.

As for the shadow mode side Jan mentioned in comment #11, upstream has
decided not to address this issue at all. Said another way, the fixes
currently provided are all the fixes expected for this bug.

This bug may be closed.
Comment 19 Marcus Meissner 2015-12-08 14:28:24 UTC
released