Bug 983300 – VUL-1: CVE-2016-5242: xen: arm: Host crash caused by VMID exhaustion (XSA-181)

Bug 983300 - (CVE-2016-5242) VUL-1: CVE-2016-5242: xen: arm: Host crash caused by VMID exhaustion (XSA-181)

(CVE-2016-5242)
Summary:	VUL-1: CVE-2016-5242: xen: arm: Host crash caused by VMID exhaustion (XSA-181)

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:RedHat:CVE-2016-5242:4.7:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-06-06 14:38 UTC by Marcus Meissner
Modified:	2016-06-06 20:07 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-06 14:38:41 UTC

via oss-sec

            Xen Security Advisory CVE-2016-5242 / XSA-181
                              version 2

               arm: Host crash caused by VMID exhaustion

UPDATES IN VERSION 2
====================

CVE assigned.

ISSUE DESCRIPTION
=================

VMIDs are a finite hardware resource, and allocated as part of domain
creation.  If no free VMIDs are available when trying to create a new domain,
a bug in the error path causes a NULL pointer to be used, resulting in a Data
Abort and host crash.

IMPACT
======

Attempting to create too many concurrent domains causes a host crash rather
than a graceful error.  A malicious device driver domain can hold references
to domains, preventing its VMID being released.

VULNERABLE SYSTEMS
==================

Xen versions 4.4 and later are affected.  Older Xen versions are unaffected.

x86 systems are not affected.

Only arm systems with less-privileged device driver domains can expose this
vulnerability.

MITIGATION
==========

There is no mitigation.  Not using driver domains reclassifies the problem,
but does not fix it.

NOTE REGARDING LACK OF EMBARGO
==============================

The crash was discussed publicly on xen-devel, before it was appreciated
that there was a security problem.

CREDITS
=======

This issue was discovered by Aaron Cornelius of DornerWorks.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa181.patch           xen-unstable, Xen 4.6.x, 4.5.x
xsa181-4.4.patch       Xen 4.4.x

$ sha256sum xsa181*
6756fcf44446675e5277f6d6c0e8a0aaa51a7909ad9a55af89a09367fded8733  xsa181.patch
97a90c7cb42466647622cb2ed98de531b7ba2e174a1bc639a32a6f1b626d503f  xsa181-4.4.patch
$

Comment 1 Marcus Meissner 2016-06-06 14:39:12 UTC

i think we still do not do xen on arm.

Comment 2 Charles Arnold 2016-06-06 15:17:10 UTC

(In reply to Marcus Meissner from comment #1)
> i think we still do not do xen on arm.

Right. Nothing for us to do with this bug. It may be closed.

Comment 3 Johannes Segitz 2016-06-06 15:32:43 UTC

and now it is