Xen.org security team
2012-Nov-13 12:56 UTC
Xen Security Advisory 25 (CVE-2012-4544, CVE-2012-2625) - Xen domain builder Out-of-memory due to malicious kernel/ramdisk
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-4544,CVE-2012-2625 / XSA-25 version 2 Xen domain builder Out-of-memory due to malicious kernel/ramdisk UPDATES IN VERSION 2 =================== Clarify that XSA-25 is reporting, via the Xen.org security process, both CVE-2012-4544 and CVE-2012-2625. Also we would like to apologise for the fact that xen-announce''s copy of version 1 of this advisory was delayed in mailing list moderation. ISSUE DESCRIPTION ================ The Xen PV domain builder contained no validation of the size of the supplied kernel or ramdisk either before or after decompression. This could cause the toolstack to consume all available RAM in the domain running the domain builder. (CVE-2012-4544) Additionally, under similar circumstances pygrub consume excessive amount of memory under similar circumstances to the above. (CVE-2012-2625) IMPACT ===== A malicious guest administrator who can supply a kernel or ramdisk can exhaust memory in domain 0 leading to a denial of service attack. VULNERABLE SYSTEMS ================= All versions of Xen are vulnerable. MITIGATION ========= Running only trusted kernels and ramdisks will avoid these vulnerabilities. Using pvgrub also avoids these vulnerabilities since the builder will run in guest context. (nb: use of pygrub *is* vulnerable). Running only HVM guests will avoid these vulnerabilities. RESOLUTION ========= Applying the appropriate attached patch resolves these issues. The pygrub problem (CVE-2012-2625) was fixed in xen-unstable (and the fix inherited by Xen 4.2.x) in revision 25589:60f09d1ab1fe but not called out as a security problem. This fix is also included, where necessary, in the patches below. xsa25-unstable.patch Xen unstable xsa25-4.2.patch Xen 4.2.x xsa25-4.1.patch Xen 4.1.x $ sha256sum xsa25*.patch 613e4b82cdc9cabf9cbd52076118887b298c47e680c2066a28a77f12e9f90606 xsa25-4.1.patch 135bc089d003f9b97991764c37b1ab8d37e9cbcfa1b9bd7429b4503abe00c8f5 xsa25-4.2.patch 534495b7eef6e599f5814f0a67fc84fbe2e8eee9d223a09ad178ff63bdcda3dd xsa25-unstable.patch Note that these patches impose a new size limit of 1Gby on both the compressed and uncompressed sizes of ramdisks. On some systems it may be desirable to relax these limits and risk virtual address or memory exhaustion in the toolstack. This can be achieved by setting XC_DOM_DECOMPRESS_MAX to the desired limit (in bytes). This can be done by building with "APPEND_CFLAGS=-DXC_DOM_DECOMPRESS_MAX=<limit>" or by editing tools/libxc/xc_dom.h directly. NOTE REGARDING LACK OF EMBARGO ============================= These issues have already been discussed in public in various places, including https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2625 and http://bugs.debian.org/688125. This advisory is therefore not subject to an embargo. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQokGyAAoJEIP+FMlX6CvZl7wH/RdoQHGDcbgVEh5fuS5VzPpw RZ0sm6bpI7eclqaN6+thX9SA5qeycvyj2zq769yUGSiHR+BUNw6HRJZ+XAAF0IIx nb4VEdS2+Hz1kyTUAeZu3z/5HyfFamKY9Lhhj/47DBTtO5Xl1pjOCA0bC4ZDtIm1 ffFVhOmTcmQEWXW1z27Vj9hSgQeGsqHTcOys6H0nYpLITDIZqBkGv8MZl4X0/Wtl zs2prG8HEWsysKel5Q/dt7De84OV3LgP1/2a+aMkLi+RgKWP+naKAXfYqVAS4mLw K+mv2MrmhgNxzEWp/sZX0q1QNvnJf+xKYHOBcP+hUlQIQwD/NQejdAdmNVPem7s=Pfj+ -----END PGP SIGNATURE----- _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel