Bug 983300 - (CVE-2016-5242) VUL-1: CVE-2016-5242: xen: arm: Host crash caused by VMID exhaustion (XSA-181)
(CVE-2016-5242)
VUL-1: CVE-2016-5242: xen: arm: Host crash caused by VMID exhaustion (XSA-181)
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-5242:4.7:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-06 14:38 UTC by Marcus Meissner
Modified: 2016-06-06 20:07 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-06 14:38:41 UTC
via oss-sec

            Xen Security Advisory CVE-2016-5242 / XSA-181
                              version 2

               arm: Host crash caused by VMID exhaustion

UPDATES IN VERSION 2
====================

CVE assigned.

ISSUE DESCRIPTION
=================

VMIDs are a finite hardware resource, and allocated as part of domain
creation.  If no free VMIDs are available when trying to create a new domain,
a bug in the error path causes a NULL pointer to be used, resulting in a Data
Abort and host crash.

IMPACT
======

Attempting to create too many concurrent domains causes a host crash rather
than a graceful error.  A malicious device driver domain can hold references
to domains, preventing its VMID being released.

VULNERABLE SYSTEMS
==================

Xen versions 4.4 and later are affected.  Older Xen versions are unaffected.

x86 systems are not affected.

Only arm systems with less-privileged device driver domains can expose this
vulnerability.

MITIGATION
==========

There is no mitigation.  Not using driver domains reclassifies the problem,
but does not fix it.

NOTE REGARDING LACK OF EMBARGO
==============================

The crash was discussed publicly on xen-devel, before it was appreciated
that there was a security problem.

CREDITS
=======

This issue was discovered by Aaron Cornelius of DornerWorks.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa181.patch           xen-unstable, Xen 4.6.x, 4.5.x
xsa181-4.4.patch       Xen 4.4.x

$ sha256sum xsa181*
6756fcf44446675e5277f6d6c0e8a0aaa51a7909ad9a55af89a09367fded8733  xsa181.patch
97a90c7cb42466647622cb2ed98de531b7ba2e174a1bc639a32a6f1b626d503f  xsa181-4.4.patch
$
Comment 1 Marcus Meissner 2016-06-06 14:39:12 UTC
i think we still do not do xen on arm.
Comment 2 Charles Arnold 2016-06-06 15:17:10 UTC
(In reply to Marcus Meissner from comment #1)
> i think we still do not do xen on arm.

Right. Nothing for us to do with this bug. It may be closed.
Comment 3 Johannes Segitz 2016-06-06 15:32:43 UTC
and now it is