MaoXiaoyun
2011-May-16 16:38 UTC
[Xen-devel] insufficiencies in pv kernel image validation
Hi: Documented in https://bugzilla.redhat.com/show_bug.cgi?id=696927. [[[ It has been found that xc_try_bzip2_decode() and xc_try_lzma_decode() decode routines did not properly check for possible buffer size overflow in the decoding loop. Specially crafted kernel image file could be created that would trigger allocation of a small buffer resulting in buffer overflow with user supplied data. Additionally, several integer overflows and lack of error/range checking that could result in the loader reading its own address space or could lead to an infinite loop have been found. A privileged DomU user could use these flaws to cause denial of service or, possibly, execute arbitrary code in Dom0. Only management domains with 32-bit userland are vulnerable. ]]] The last line of above, what is "management domains"? Does Xen 4.0/4.1 suffer this bug? And any patches available? Thanks. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keith Coleman
2011-May-16 17:05 UTC
Re: [Xen-devel] insufficiencies in pv kernel image validation
2011/5/16 MaoXiaoyun <tinnycloud@hotmail.com>:> Hi: > > Documented in https://bugzilla.redhat.com/show_bug.cgi?id=696927. > > [[[ It has been found that xc_try_bzip2_decode() and xc_try_lzma_decode() > decode > routines did not properly check for possible buffer size overflow in the > decoding loop. Specially crafted kernel image file could be created that > would > trigger allocation of a small buffer resulting in buffer overflow with user > supplied data. > > Additionally, several integer overflows and lack of error/range checking > that > could result in the loader reading its own address space or could lead to an > infinite loop have been found. > > A privileged DomU user could use these flaws to cause denial of service or, > possibly, execute arbitrary code in Dom0. > > Only management domains with 32-bit userland are vulnerable. > ]]] > > The last line of above, what is "management domains"? > Does Xen 4.0/4.1 suffer this bug? > And any patches available? >Patches were committed to all maintained branches, including xen-3.4, last Monday. -- Keith Coleman _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Ian Jackson
2011-May-20 14:00 UTC
Re: [Xen-devel] insufficiencies in pv kernel image validation
MaoXiaoyun writes ("[Xen-devel] insufficiencies in pv kernel image
validation"):> Documented in https://bugzilla.redhat.com/show_bug.cgi?id=696927.
This is the subject of one of our recent advisories, here:
http://lists.xensource.com/archives/html/xen-devel/2011-05/msg00483.html
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel