Xen.org security team
2012-Sep-05 10:13 UTC
Xen Security Advisory 13 (CVE-2012-3495) - hypercall physdev_get_free_pirq vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2012-3495 / XSA-13
version 3
hypercall physdev_get_free_pirq vulnerability
UPDATES IN VERSION 3
===================
Public release. Credit Matthew Daley.
ISSUE DESCRIPTION
================
PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq
succeeded, and if it fails will use the error code as an array index.
IMPACT
=====
A malicious guest might be able to cause the host to crash, leading to
a DoS, depending on the exact memory layout. Privilege escalation is
a theoretical possibility which cannot be ruled out, but is considered
unlikely.
VULNERABLE SYSTEMS
=================
All Xen systems.
Xen 4.1 is vulnerable. Other versions of Xen are not vulnerable.
MITIGATION
=========
This issue can be mitigated by ensuring (inside the guest) that the
kernel is trustworthy and avoiding situations where something might
repeatedly cause the attempted allocation of a physical irq.
RESOLUTION
=========
Applying the appropriate attached patch will resolve the issue.
CREDIT
=====
Thanks to Matthew Daley for finding this vulnerability (and that in
XSA-12) and notifying the Xen.org security team.
PATCH INFORMATION
================
The attached patches resolve this issue
Xen 4.1, 4.1.x xsa13-xen-4.1.patch
$ sha256sum xsa13-*.patch
ad6e3e40ff56c7c25a94d8d9763d4b49f07802b90b4362ddbe4c86bf285c1239
xsa13-xen-4.1.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJQRyVqAAoJEIP+FMlX6CvZjrcH/A0xq4dTMtJpUc1WHyUi2aXd
5ap+AA8w0XHLdosXnbxnsTCSsAdkUeBlPkqZAoGxrCGYrzP83T0cPrz8qjzN64KE
Jaei9prTk7VFHa9aAz3OqFYjYd/d21CxI4goGJ4Z0tygys4lmkDeex2kEAj5dq7b
0FLj6aIAVFYI3mWMztx4poOrz/BSCMk1YtrV5hZaY8i7Y6nhaOsPISveS0Dv4FPm
YDGc93ykhOwEWCNqWFQGVndRihgUWQIUcb7f2SUfOC/FvbcJHGlP4Aojl4LUePqM
bi/CR9cPESr7x1+1vcGUZybXALsRMBCJPrx1td3OCgqx8bwAbsQIszuFaWTtajY=s7wG
-----END PGP SIGNATURE-----
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel