Pkg xen devel - Feb 2008 - Bug#464969: xen-hypervisor-3.2-1-i386: Linux mmap()/vmsplice() exploit causes memory map corruption in hypervisor regardless of domain privilege

Package: xen-hypervisor-3.2-1-i386
Version: 3.2-1
Severity: critical
Tags: security
Justification: DoS of entire system regardless of privilege

When running the exploit listed in bug 464953 [1], Xen's memory state
becomes corrupted and the hypervisor eventually crashes, taking all of
the domU's with it. As such, this breaks operational behaviour, so I have
marked this as critical.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-4-xen-686 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

tags 464969 moreinfo
thanks

On Sat, Feb 09, 2008 at 11:37:00PM -0600, William Pitcock
wrote:
> When running the exploit listed in bug 464953 [1], Xen's memory state
> becomes corrupted and the hypervisor eventually crashes, taking all of
> the domU's with it. As such, this breaks operational behaviour, so I
have
> marked this as critical.
You have to show evidence that the Hypervisor crashed if the exploit
runs in a domU. dom0 is special and can always crash the hypervisor. A
stacktrace is usable to do this.

Bastian

-- 
I'm a soldier, not a diplomat.  I can only tell the truth.
		-- Kirk, "Errand of Mercy", stardate 3198.9

Processing commands for control at bugs.debian.org:
> tags 464969 moreinfo
Bug#464969: xen-hypervisor-3.2-1-i386: Linux mmap()/vmsplice() exploit causes
memory map corruption in hypervisor regardless of domain privilege
Tags were: security
Tags added: moreinfo
> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Your message dated Mon, 3 Mar 2008 11:36:47 +0100
with message-id <20080303103646.GA15782 at wavehammer.waldi.eu.org>
and subject line Re: [Pkg-xen-devel] Bug#464969: xen-hypervisor-3.2-1-i386:
Linux mmap()/vmsplice() exploit causes memory map corruption in hypervisor
regardless of domain privilege
has caused the Debian Bug report #464969,
regarding xen-hypervisor-3.2-1-i386: Linux mmap()/vmsplice() exploit causes
memory map corruption in hypervisor regardless of domain privilege
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
464969: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464969
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: William Pitcock <nenolod at sacredspiral.co.uk>
Subject: xen-hypervisor-3.2-1-i386: Linux mmap()/vmsplice() exploit causes
memory map
 corruption in hypervisor regardless of domain privilege
Date: Sat, 09 Feb 2008 23:37:00 -0600
Size: 2102
Url:
http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20080303/ad8ea89a/attachment.eml
-------------- next part --------------
An embedded message was scrubbed...
From: Bastian Blank <waldi at debian.org>
Subject: Re: [Pkg-xen-devel] Bug#464969: xen-hypervisor-3.2-1-i386: Linux
mmap()/vmsplice() exploit causes memory map corruption in hypervisor regardless
of domain privilege
Date: Mon, 3 Mar 2008 11:36:47 +0100
Size: 1932
Url:
http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20080303/ad8ea89a/attachment-0001.eml