XSA-74

CVE-2013-4553

问题描述

http://xenbits.xen.org/xsa/advisory-74.html

Lock order reversal between pagealloclock and mm_rwlock

The locks page_alloc_lock and mm_rwlock are not always taken in the same order. This raises the possibility of deadlock.

The incorrect order occurs only in the implementation of the deprecated domctl hypercall XEN_DOMCTL_getmemlist.

logic error (deadlock), now deprecated.

Patch描述

http://xenbits.xen.org/xsa/xsa74-4.1-4.2..patch

x86: restrict XENDOMCTLgetmemlist

--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -385,6 +385,26 @@ long arch_do_domctl(
                 break;
             }
 
+            /*
+             * XSA-74: This sub-hypercall is broken in several ways:
+             * - lock order inversion (p2m locks inside page_alloc_lock)
+             * - no preemption on huge max_pfns input
+             * - not (re-)checking d->is_dying with page_alloc_lock held
+             * - not honoring start_pfn input (which libxc also doesn't set)
+             * Additionally it is rather useless, as the result is stale by
+             * the time the caller gets to look at it.
+             * As it only has a single, non-production consumer (xen-mceinj),
+             * rather than trying to fix it we restrict it for the time being.
+             */
+            if ( /* No nested locks inside copy_to_guest_offset(). */
+                 paging_mode_external(current->domain) ||
+                 /* Arbitrary limit capping processing time. */
+                 max_pfns > GB(4) / PAGE_SIZE )
+            {
+                ret = -EOPNOTSUPP;
+                break;
+            }
+
             spin_lock(&d->page_alloc_lock);
 
             if ( unlikely(d->is_dying) ) {

we just restrict it rather than fix it.

Consequence

A malicious guest administrator may be able to deny service to the entire host.

DoS