Xen.org security team
2012-Nov-13 12:56 UTC
Xen Security Advisory 24 (CVE-2012-4539) - Grant table hypercall infinite loop DoS vulnerability
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-4539 / XSA-24 version 2 Grant table hypercall infinite loop DoS vulnerability UPDATES IN VERSION 2 =================== Public release. ISSUE DESCRIPTION ================ Due to inappropriate duplicate use of the same loop control variable, passing bad arguments to GNTTABOP_get_status_frames can cause an infinite loop in the compat hypercall handler. IMPACT ===== A malicious guest administrator can trigger the bug. If the Xen watchdog is enabled, the whole system will crash. Otherwise the guest can cause the system to become completely unresponsive. VULNERABLE SYSTEMS ================= Xen versions 4.0 and onwards are vulnerable. Earlier released Xen versions are not vulnerable. Only 32-bit x86 PV guests, running on 64-bit Xen hypervisors, introduce the vulnerability. MITIGATION ========= Running only 64-bit guests, or (in previous Xen versions) running a 32-bit hypervisor (which supports only 32-bit guests), will avoid this vulnerability. Note however that if in a 64-bit Xen system the guest kernel image file is under the control of the guest administrator, the guest administrator will normally be able to control whether the guest is 32-bit or 64-bit by supplying a different kernel image. Running only HVM guests will avoid this vulnerability. RESOLUTION ========= The attached patch resolves this issue. The same patch is applicable to all affected versions. $ sha256sum xsa24.patch 2963dff4dbc08aab4278215d74c2cce365972f213453bb7c513d097a838de196 xsa24.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQokGvAAoJEIP+FMlX6CvZ0HAH/jy7Id9Ai1ZJSou6xu6USdQP QyaT6BnWzIA8ziatcnRzq5YHW+Occ4g4+9fU92zHpVsFGF5mAN9/aq83xLHoFHkb TPH/+xNCRz50zfQ21VTejr6jFlfiO6S1y/4bxVYfohtoevijo5tpRo+OYdFZXMM8 psagcYXHgOsUy95pFsPBbwg6bh0S/ffDfZnyK3LZCP3J/Xx82kj7Du/HgKcM9lDx gk/q0VjFM6M/utxyn2gQlFGbX8YFfoytb9WzcrQdcPf4Ubu/jGUykm1BS/+IrXHs C9BtBa6w+k2T6dZgRmseeOjy0PgiEYKrqYhwAG1VC8F+RMLpAmtNGJS3gatwFHE=IoWx -----END PGP SIGNATURE----- _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel