thr3ads.net - Xen devel - [Xen-devel] Xen Security Advisory 4 (CVE-2011-2901)

If this information is useful, please help other people find it:
Share via:

Xen.org security team

2011-Sep-02 11:18 UTC

[Xen-devel] Xen Security Advisory 4 (CVE-2011-2901) - Xen 3.3 vaddr validation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2011-2901 / XSA-4
                        revision no.2
        Xen <= 3.3 DoS due to incorrect virtual address validation

ISSUE DESCRIPTION
================
The x86_64 __addr_ok() macro intends to ensure that the checked
address is either in the positive half of the 48-bit virtual address
space, or above the Xen-reserved area. However, the current shift
count is off-by-one, allowing full access to the "negative half" too,
via certain hypercalls which ignore virtual-address bits [63:48].
Vulnerable hypercalls exist only in very old versions of the
hypervisor.

VULNERABLE SYSTEMS
=================
All systems running a Xen 3.3 or earlier hypervisor with 64-bit PV
guests with untrusted administrators are vulnerable.

IMPACT
=====
A malicious guest administrator on a vulnerable system is able to
crash the host.

There are no known further exploits but these have not been ruled out.

RESOLUTION
=========
The attached patch resolves the issue.

Alternatively, users may choose to upgrade to a more recent hypervisor

PATCHES
======
The following patch resolves this issue.

Filename: fix-__addr_ok-limit.patch
SHA1: f18bde8d276110451c608a16f577865aa1226b4f
SHA256: 2da5aac72e1ac4849c34d38374ae456795905fd9512eef94b48fc31383c21636

This patch should apply cleanly, and fix the problem, for all affected
versions of Xen.

It is harmless when applied to later hypervisors and will be included
in the Xen unstable branch in due course.

VERSION HISTORY
==============
Analysis following version 1 of this advisory (sent out to the
predisclosure list during the embargo period) indicates that the
actual DoS vulnerability only exists in very old hypervisors, Xen 3.3
and earlier, contrary to previous reports.

This advisory is no longer embargoed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJOYLq2AAoJEIP+FMlX6CvZLegH/26/oJBkd/WM/yYhXkzlbnIP
MxF6Fgy96Omu8poQTanD7g1vEcM0TOLY+Kk3GGsfj4aDdEJ5Nq4ZOW8ooI0VnVcD
7VXQqFsXPxre+eZ6g+G0AsmzdsG45C3qujUTRfGKqzYwXqjWjt9nNsdIy1Mrz8/4
zG1uLDkN0LXnBG2Te4q8ZckYwMq8gFXHHnH35RfQ5Besu6pvJmtK3rFXETdlP12A
JjBh7t5jsCfzvYWFQehVp8mJupuftiOBPClmVh4vrvN9gYd5rzEgB4Q9Ioiqz2qT
2bE1zegR8NeOKBOi9xriTU8F530OdFzeWAbo7D5gyEbYdc60eNwbadcgNGLbzMg=09T8
-----END PGP SIGNATURE-----


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Xen devel - Sep 2011 - Xen Security Advisory 4 (CVE-2011-2901) - Xen 3.3 vaddr validation

[Xen-devel] Xen Security Advisory 4 (CVE-2011-2901) - Xen 3.3 vaddr validation