Lucene search

K
xenXen ProjectXSA-406
HistoryJul 05, 2022 - 10:44 a.m.

Arm guests can cause Dom0 DoS via PV devices

2022-07-0510:44:00
Xen Project
xenbits.xen.org
27
arm
guests
dom0 dos
pv devices
rbtree
race condition
denial of service (dos)
memory pages
vulnerability
linux.

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:N/I:N/A:P

4.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

14.2%

ISSUE DESCRIPTION

When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings.
Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests’ memory pages.

IMPACT

A guest performing multiple I/Os of PV devices in parallel can cause DoS of dom0 and thus of the complete host.

VULNERABLE SYSTEMS

Only Arm systems (32-bit and 64-bit) are vulnerable. Dom0 Linux versions 3.13 - 5.18 are vulnerable.
X86 systems are not vulnerable.

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:N/I:N/A:P

4.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

14.2%