XSA-35

CVE-2013-0152


问题描述

http://xenbits.xen.org/xsa/advisory-35.html

Nested HVM exposes host to being driven out of memory by guest

Guests are currently permitted to enable nested virtualization on themselves. Missing error handling cleanup in the handling code makes it possible for a guest, particularly a multi-vCPU one, to repeatedly invoke this operation, thus causing a leak of - over time - unbounded amounts of memory.

improper error handling (not cleanup)


Patch描述

http://xenbits.xen.org/xsa/xsa35.patch

xen: Do not allow guests to enable nested HVM on themselves

There is no reason for this and doing so exposes a memory leak to guests. Only toolstacks need write access to this HVM param.

--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3871,6 +3871,11 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
                     rc = -EINVAL;
                 break;
             case HVM_PARAM_NESTEDHVM:
+                if ( !IS_PRIV(current->domain) )
+                {
+                    rc = -EPERM;
+                    break;
+                }
                 if ( a.value > 1 )
                     rc = -EINVAL;
                 if ( !is_hvm_domain(d) )

禁止guest自己开启nested HVM。


Consequence

A malicious domain can mount a denial of service attack affecting the whole system.

DoS