Bug 951845 - (CVE-2015-7972) VUL-1: CVE-2015-7972: xen: x86: populate-on-demand balloon size inaccuracy can crash guests (XSA-153)
(CVE-2015-7972)
VUL-1: CVE-2015-7972: xen: x86: populate-on-demand balloon size inaccuracy ca...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2015-7972:4.7:(AV:L...
:
Depends on:
Blocks: CVE-2015-7970
  Show dependency treegraph
 
Reported: 2015-10-23 17:26 UTC by Andreas Stieger
Modified: 2021-01-22 08:57 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Swamp Workflow Management 2015-10-23 22:00:44 UTC
bugbot adjusting priority
Comment 5 Andreas Stieger 2015-10-26 15:49:08 UTC
he Xen packages in SUSE Linux Enterprise are affected by XSA-150 and XSA-153 related to a DoS when the populate-on-demand option is used. Confirmed source patches were not available in time for the scheduled update. A further update to Xen will contain these fixes.
Comment 6 Andreas Stieger 2015-10-29 12:39:15 UTC
Public at http://xenbits.xen.org/xsa/advisory-153.html

            Xen Security Advisory CVE-2015-7972 / XSA-153
                              version 3

     x86: populate-on-demand balloon size inaccuracy can crash guests

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The design of the memory populate-on-demand (PoD) system requires that
a guest's memory ballooning driver reach its memory reduction target.
The target is not entirely well-defined in terms of the information
visible to the appropriate parts of the system, so some unknown set of
guests (but probably most guests) will fail this criterion.

If the guest memory balloon driver does not free sufficient memory to
reach its target, the guest will proceed to run with a nonzero number
of outstanding PoD pages.  When the guest or management toolstack
touches such a page, the hypervisor would search the guest memory for
a page containing only zeroes.

If no such page is found, the guest crashes.  Prior to the patch for
XSA-150, the search might lock up the relevant physical cpu for a
while.  After the patch to XSA-150, it might crash the guest even if a
suitable zero page is available.

This means that in the current arrangements toolstack software must
apply an adjustment to a guest's PoD target as supplied to Xen.
Neither xend nor libxl do this.

IMPACT
======

Guests configured with PoD might be unstable, especially under load.

In an affected guest, an unprivileged guest user might be able to
cause a guest crash, perhaps simply by applying load so as to cause
heavy memory pressure within the guest.

This problem also allows an unprivileged guest user to exercise the
separate vulnerability described in XSA-150: an unprivileged guest
user might be able to cause a denial of service affecting the host.

VULNERABLE SYSTEMS
==================

The vulnerability is restricted to HVM guests which have been
constructed in Populate-on-Demand mode (ie, with memory < maxmem).

ARM is not vulnerable.  x86 PV VMs are not vulnerable.  x86 HVM
domains without PoD (ie started with memory==maxmem, or without
mentioning "maxmem" in the guest config file) are not vulnerable.

Systems using libxl (whether via xl, or libvirt, or another higher
layer) or xend (whether via xm, or libvirt, or another higher layer)
are vulnerable.

If the system has been stress-tested (by imposing memory load on the
guest) and found to be stable, it is less likely that the guest is
vulnerable.

Combinations of Xen, guest, guest balloon driver, and toolstack
software, which have an empirical adjustment as described in the
Description, and which have been formally stress-tested in PoD mode,
are less likely to be vulnerable.

Migration is not capable of creating a guest with outstanding PoD.  So
migrating a guest which is vulnerable might crash it.  However, if a
guest has been migrated successfully since it booted, it is no longer
vulnerable.

Xen versions back to 3.4.x are affected.

Vulnerability of a particular guest can be tested by the host
administrator using the utility `xsa153-check.c', attached to this
advisory.


MITIGATION
==========

Reducing the guest's memory target, after guest startup, can cause the
guest's ballon driver to eliminate the PoD discrepancy.  If the guest
successfully balloons down, it will no longer be vulnerable.

On systems using libxl this can be done with `xl mem-set', during or
after each guest boot:

   # ./xsa153-check `xl domid name-of-guest`
   checked domain 621 for XSA-153: VULNERABLE (1 more outstanding pages)
   try using   xl mem-set   to reduce its memory by 1 (Mby)
   or perhaps reduce /local/domain/621/memory/target by 4
   # xl list name-of-guest
   Name                  ID   Mem VCPUs      State   Time(s)
   name-of-guest        621   512     2     r-----     156.9
   # xl mem-set name-of-guest 511
   #
   [ wait for guest to give up memory ]
   # ./xsa153-check `xl domid name-of-guest`
   checked domain 621 for XSA-153: NOT vulnerable
   #

Alternatively, no matter the toolstack, it is possible for a host
administrator to bypass the toolstack code and give ballooning
instructions directly to the guest:

   [ suppose guest domid is 616, eg from xl domid name-of-guest  ]
   # ./xsa153-check 616
   checked domain 616 for XSA-153: VULNERABLE (1 more outstanding pages)
   try using   xl mem-set   to reduce its memory by 1 (Mby)
   or perhaps reduce /local/domain/616/memory/target by 4
   # xenstore-read /local/domain/616/memory/target
   520188
   # xenstore-write /local/domain/616/memory/target 520184
   #
   [ wait for guest to give up memory ]
   # ./xsa153-check `xl domid name-of-guest`
   checked domain 616 for XSA-153: NOT vulnerable
   #

The memory/target value is in decimal, and is a number of kilobytes;
it must be a multiple of 4, since a page is 4 Kb on affected systems.
The value to write should be some amount less than the value read.


It is not currently known whether use of the VM memory event
inspection facilities (in-tree, this means the xc_monitor utility)
might invalidate the workaround.


Note that guests may become unstable if given too little memory, so
large reductions of the memory target should be applied with caution,
if at all.  The expected offset related to XSA-153 is small (tens of
pages, perhaps).  If a large reduction is required, it is more likely
that either the guest is still booting up (and still working to reduce
the PoD memory), or that the guest's balloon driver is not
functioning:

   # ./xsa153-check `xl domid name-of-guest`
   checked domain 623 for XSA-153: VULNERABLE (65536 more outstanding pages)
   difference is >1Mby
   ballon driver not running or guest still booting?
   #

A guest without a working balloon driver will be unstable in PoD mode,
especially under memory pressure; this is an inherent feature of the
design of PoD.


RESOLUTION
==========

The attached patch fixes the problem for systems using libxl (via xl,
or via libvirt, or another higher layer).  At the time of writing
there is no patch for xend-based systems.

xsa153-libxl.patch            xen-unstable, Xen 4.5, Xen 4.6
xsa153-libxl.patch            Xen 4.1 to 4.4 inclusive, using libxl

(Xend was removed in Xen 4.5; so the libxl-only patch is always
sufficient for Xen 4.5 and later.)

$ sha256sum xsa153*
633df5d970af49476c2d279e604150c444834bb906f6568070f0c2e0ceaa3af4  xsa153-check.c
f5cbc98cba758e10da0a01d9379012ec56b98a85a92bfeb0c6b8132d4b91ce77  xsa153-libxl.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html


NOTE REGARDING SHORT EMBARGO
============================

This issue was quickly encountered by the Security Team during our
investigations of the scope and impact of XSA-150; this issue was
originally discussed in the `Incomplete Information' section of
XSA-150 v1.  Accordingly XSA-153 is embargoed and the embargo will
end at the same time as that of XSA-150.
Comment 7 Andreas Stieger 2015-10-29 12:53:16 UTC
The Xen packages in SUSE Linux Enterprise are affected by XSA-150 and XSA-153 related to a DoS when the populate-on-demand option is used. Confirmed source patches were not available in time for the scheduled update. A further update to Xen will contain these fixes.
Comment 8 Swamp Workflow Management 2015-11-12 11:13:03 UTC
openSUSE-SU-2015:1964-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 877642,932267,938344,939709,939712,941074,944463,944697,947165,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_06-50.1
Comment 9 Swamp Workflow Management 2015-11-12 11:14:23 UTC
openSUSE-SU-2015:1965-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 877642,932267,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.1_12-3.1
Comment 10 Swamp Workflow Management 2015-11-17 10:16:07 UTC
openSUSE-SU-2015:2003-1: An update that solves 13 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 877642,901488,907514,910258,918984,923967,925466,932267,935634,938344,939709,939712,944463,944697,945167,947165,949138,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-3259,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE 13.2 (src):    xen-4.4.3_02-30.1
Comment 11 Marcus Meissner 2015-12-03 10:15:07 UTC
was released

is tracked again in current updates due to a changelog diff
Comment 12 Marcus Meissner 2015-12-03 10:16:46 UTC
actually sles is still open and was not yet released. sorry.


QA: hgard to reproduce, we have no reproducer :(
Comment 13 Swamp Workflow Management 2015-12-18 21:13:53 UTC
SUSE-SU-2015:2306-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 950703,950704,950705,950706,951845,953527,954405,956408,956411,956832
CVE References: CVE-2015-5307,CVE-2015-7504,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8345
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    xen-4.1.6_08-23.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    xen-4.1.6_08-23.1
Comment 14 Swamp Workflow Management 2015-12-19 15:14:20 UTC
SUSE-SU-2015:2326-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 947165,950703,950704,950705,950706,951845,954018,954405,956408,956409,956411,956592,956832
CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    xen-4.2.5_18-21.1
SUSE Linux Enterprise Server 11-SP3 (src):    xen-4.2.5_18-21.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    xen-4.2.5_18-21.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_18-21.1
Comment 15 Swamp Workflow Management 2015-12-19 15:17:26 UTC
SUSE-SU-2015:2328-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 947165,950703,950704,950705,950706,951845,954018,954405,956408,956409,956411,956592,956832
CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7835,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.3_06-22.15.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.3_06-22.15.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.3_06-22.15.1
Comment 16 Marcus Meissner 2015-12-19 16:47:14 UTC
released
Comment 17 Swamp Workflow Management 2015-12-22 12:12:36 UTC
SUSE-SU-2015:2338-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 947165,950703,950704,950705,950706,951845,954018,954405,955399,956408,956409,956411,956592,956832
CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7835,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.3_06-29.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.3_06-29.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    xen-4.4.3_06-29.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.3_06-29.1