Xen.org security team
2012-Dec-03 17:51 UTC
Xen Security Advisory 29 (CVE-2012-5513) - XENMEM_exchange may overwrite hypervisor memory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2012-5513 / XSA-29
version 3
XENMEM_exchange may overwrite hypervisor memory
UPDATES IN VERSION 3
===================
Public release.
ISSUE DESCRIPTION
================
The handler for XENMEM_exchange accesses guest memory without range checking
the guest provided addresses, thus allowing these accesses to include the
hypervisor reserved range.
IMPACT
=====
A malicious guest administrator can cause Xen to crash. If the out of address
space bounds access does not lead to a crash, a carefully crafted privilege
escalation cannot be excluded, even though the guest doesn''t itself
control
the values written.
VULNERABLE SYSTEMS
=================
All Xen versions are vulnerable.
The vulnerability is only exposed to PV guests.
MITIGATION
=========
Running only HVM guests, or ensuring that PV guests only use trusted kernels,
will avoid this vulnerability.
RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.
xsa29-4.1.patch Xen 4.1.x
xsa29-4.2-unstable.patch Xen 4.2.x, xen-unstable
$ sha256sum xsa29*.patch
7246a5534bc1e6a47bb6a860f6eb61c8353ad8b46209310783e823b4f7e2eae8
xsa29-4.1.patch
54dcd3ac5c84903bfb04f8591107a74c27b079815f2c6843212e05f776873c73
xsa29-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJQvOJ3AAoJEIP+FMlX6CvZ7u8IAM01+jNn5fwdGmoo/LIdH885
nWr5aSc+qMqVuSvla0KKh1SOLFaVWFgovLN1Sfu2hAxLgrK3HxN86RqHU/vLo0k0
KTFM+9xQlxhJNQzyQSiDryH/qSrHTQI6ERxUEYgfjtTieK8y30SZqkd6jBmwoir/
nAMMP8oFmVevM2WfYEWjNNsWPaiUlUYP13qxiWGPcGzhcNNKRwcmrIY4N+F6kHID
Ipl4l5vhoeSaQ0fKkcJKHa+3QGd+706jHZ5VTCwPdWBCnBJLFuMWbc2UlyIg2EB9
N+3Olwf3jCF0zIzBJkomA+FAg+D7kw31DCjc+y1PdGIyuoMkk+JRwYFVkZcKLi4=pD8C
-----END PGP SIGNATURE-----
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel