long running memory operations on ARM

ISSUE DESCRIPTION

Certain HYPERVISOR_memory_op subops take page order inputs, with so far insufficient enforcement of limits thereof. In particular, for all of XENMEM_increase_reservation, XENMEM_populate_physmap, and XENMEM_exchange the order was limited to 9 only for guests without physical devices assigned. Guests with assigned devices were allowed up to order 18 (x86) or 20 (ARM). XENMEM_decrease_reservation enforced only the latter, higher limit uniformly on all kinds of guests.
All of these operations involve loops over individual pages (possibly nested, with only the iteration count of the innermost loop being of interest here), resulting in iteration counts of up to 1 million on ARM. Total execution time of these operations obviously depends on system speed, but have been measured to get into the seconds range.

IMPACT

A malicious guest administrator can cause a denial of service. Specifically, prevent use of a physical CPU for a significant period. Other attacks, namely privilege escalation, cannot be ruled out.
If a host watchdog (Xen or dom0) is in use, this can lead to a watchdog timeout and consequently a reboot of the host. If another, innocent, guest, is configured with a watchdog, this issue can lead to a reboot of such a guest.

VULNERABLE SYSTEMS

All Xen versions supporting ARM are affected.
x86 versions of Xen are unaffected.