Timer overflow DoS vulnerability

A guest which sets a VCPU with an inappropriate deadline can cause an infinite loop in Xen, blocking the affected physical CPU indefinitely.

lack of check (timer overflow)



VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability

The timer action for a vcpu periodic timer is to calculate the next expiry time, and to reinsert itself into the timer queue. If the deadline ends up in the past, Xen never leaves _dosoftirq(). The affected PCPU will stay in an infinite loop until Xen is killed by the watchdog (if enabled).

--- a/xen/common/domain.c   Wed Nov 14 10:40:41 2012 +0100
+++ b/xen/common/domain.c   Wed Nov 14 11:33:15 2012 +0000
@@ -882,6 +882,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
         if ( set.period_ns < MILLISECS(1) )
             return -EINVAL;
+        if ( set.period_ns > STIME_DELTA_MAX )
+            return -EINVAL;
         v->periodic_period = set.period_ns;
--- a/xen/include/xen/time.h    Wed Nov 14 10:40:41 2012 +0100
+++ b/xen/include/xen/time.h    Wed Nov 14 11:33:15 2012 +0000
@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t);
 #define MILLISECS(_ms)  ((s_time_t)((_ms) * 1000000ULL))
 #define MICROSECS(_us)  ((s_time_t)((_us) * 1000ULL))
 #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
+/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
+#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
 extern void update_vcpu_system_time(struct vcpu *v);
 extern void update_domain_wallclock_time(struct domain *d);


A malicious guest administrator can trigger the bug. If the Xen watchdog is enabled, the whole system will crash. Otherwise the guest can cause the system to become completely unresponsive.