CVE-2012-3433
HVM guest destroy p2m teardown host DoS vulnerability
An HVM guest is able to manipulate its physical address space such that tearing down the guest takes an extended period amount of time searching for shared pages.
This causes the domain 0 VCPU which tears down the domain to be blocked in the destroy hypercall. This causes that domain 0 VCPU to become unavailable and may cause the domain 0 kernel to panic.
improper error handling (VCPU block)
http://xenbits.xen.org/hg/xen-4.1-testing.hg/rev/859205b36fe9
xen: only check for shared pages while any exist on teardown
Avoids worst case behavour when guest has a large p2m.
--- a/xen/arch/x86/mm/p2m.c Fri Aug 03 10:43:24 2012 +0100
+++ b/xen/arch/x86/mm/p2m.c Thu Aug 09 15:47:42 2012 +0100
@@ -2044,6 +2044,8 @@ void p2m_teardown(struct p2m_domain *p2m
#ifdef __x86_64__
for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ )
{
+ if ( atomic_read(&d->shr_pages) == 0 )
+ break;
mfn = p2m->get_entry(p2m, gfn, &t, &a, p2m_query);
if ( mfn_valid(mfn) && (t == p2m_ram_shared) )
BUG_ON(mem_sharing_unshare_page(p2m, gfn, MEM_SHARING_DESTROY_GFN));A guest kernel can cause the host to become unresponsive for a period of time, potentially leading to a DoS.
DoS