Xen.org security team
2012-Dec-03 17:51 UTC
Xen Security Advisory 32 (CVE-2012-5525) - several hypercalls do not validate input GFNs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5525 / XSA-32 version 4 several hypercalls do not validate input GFNs UPDATES IN VERSION 4 =================== Public release. ISSUE DESCRIPTION ================ The function get_page_from_gfn does not validate its input GFN. An invalid GFN passed to a hypercall which uses this function will cause the hypervisor to read off the end of the frame table and potentially crash. IMPACT ===== A malicious guest administrator of a PV guest can cause Xen to crash. If the out of bounds access does not lead to a crash, a carefully crafted privilege escalation cannot be excluded, even though the guest doesn''t itself control the values written. VULNERABLE SYSTEMS ================= Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are not vulnerable. The vulnerability is exposed only to PV guests. MITIGATION ========= Running only trusted PV guest kernels will avoid this vulnerability. Running only HVM guests will avoid this vulnerability. RESOLUTION ========= Applying the appropriate attached patch resolves this issue. xsa32-4.2.patch Xen 4.2.x, xen-unstable xsa32-unstable.patch xen-unstable $ sha256sum xsa32*.patch ad25c9298b543ef7af40e9f09cae232d36efc1932804678355ab724a19e3afd9 xsa32-4.2.patch 734cff82a93f032165ef26633acb30a499cc063141c2b16fccb294703718fcb0 xsa32-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOWxAAoJEIP+FMlX6CvZ9uUH/RM5PGHxWTuFv11kAEJAaQK7 m3dB9GZvjRo/zcRTrSQX2JCumM8rwXffNR9oUHQkC3WxRPjyNRdsiI02sSRLSDAh q2tsalK1PpFNX2DRrOezWrkBA2zR7pnGe3sCzgO3sGGpqMMoG5+u6/IcZHu86LGm zk+e0hMHtuurz6+uB0w8TJoLge4XSTw0K3ck70vCL4ysKmyOcEWcAgDmNA+OwnQ8 duw4UGkXLrxCF1X7RbAh31lUWPSLxPvxsytja+78/9ggpQRxZkF5x6T4oABcZ7jg vjzYkNN3MdN41RIbmZps1SECLm/SKoOvsBxfOJArf0DYgVmJloxZrLK4TyquCDk=oEp3 -----END PGP SIGNATURE----- _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel