thr3ads.net - Xen devel - Xen Security Advisory 27 (CVE-2012-5511, CVE-2012-6333) - several HVM operations do not validate the range of their inputs [Jan 2013]

If this information is useful, please help other people find it:
Share via:

Xen.org security team

2013-Jan-17 12:26 UTC

Xen Security Advisory 27 (CVE-2012-5511, CVE-2012-6333) - several HVM operations do not validate the range of their inputs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Xen Security Advisory CVE-2012-5511,CVE-2012-6333 / XSA-27
                           version 5

   several HVM operations do not validate the range of their inputs

UPDATES IN VERSION 5
===================
The supplied patch for 4.1 was found to contain a bug. The patch has
been updated. The incremental fix can be found at
http://lists.xen.org/archives/html/xen-devel/2013-01/msg01193.html

Mitre have asked that two CVEs are used for the issues described here:
 * CVE-2012-5511 now applies only to the stack-based buffer overflow
   that was fixed in 4.2.
 * CVE-2012-6333 applies to the large input validation issues.

ISSUE DESCRIPTION
================
Several HVM control operations do not check the size of their inputs
and can tie up a physical CPU for extended periods of time.

In addition dirty video RAM tracking involves clearing the bitmap
provided by the domain controlling the guest (e.g. dom0 or a
stubdom). If the size of that bitmap is overly large, an intermediate
variable on the hypervisor stack may overflow that stack.

IMPACT
=====
A malicious guest administrator can cause Xen to become unresponsive
or to crash leading in either case to a Denial of Service.

VULNERABLE SYSTEMS
=================
All Xen versions from 3.4 onwards are vulnerable.

However Xen 4.2 and unstable are not vulnerable to the stack
overflow. Systems running either of these are not vulnerable to the
crash.

Version 3.4, 4.0 and 4.1 are vulnerable to both the stack overflow and
the physical CPU hang.

The vulnerability is only exposed to HVM guests.

MITIGATION
=========
Running only PV guests will avoid this vulnerability.

RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.

xsa27-4.1.patch             Xen 4.1.x
xsa27-4.2.patch             Xen 4.2.x
xsa27-4.unstable.patch      xen-unstable


$ sha256sum xsa27*.patch
82c9160484165acdebf91e8d80538829c756cf5abc2d8d890c8b4abd9aa4800a 
xsa27-4.1.patch
462eae827944d1d337a6ebf13a36ea952d7fb76b993b9c29946e1d9cfb5ea2a3 
xsa27-4.2.patch
fcb07c6bd78a0d9513a68e2eb3bf0c21ef4d8ff0e6ebf6fdce04a3170303cab6 
xsa27-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQ9+vTAAoJEIP+FMlX6CvZYdIIAIydLf9OVKnYmFvbze6CeSTd
KOp0EgmJu/Da4bbGejn3HKMZD9KsZ8nMAv/rIyQKgfNcSLWd0giMJ0IDyqnoVP0v
W/UiL5b7IiGToYLhqQJWM21sIxD/YC9rZTyqg00LhSSxO0NPzsPuD5r/qPakuJ8l
11cJ87oEObZAK/0csyy2X+Eh00UAkcc0pOiAM3+jjamM1lq/lUt/RX4e00VRGLoJ
K3Cy1B5IesnA1CbgJZn2RSQSLWLFKN5W6/ChtkPUmJDsJzuv60VRHptv4PbD+/Cf
VtdGChfvs/dDYhPVt2c/kYMmqv/Brz8TzpaeUC4CzYnCLyRxplsQOPtLRzK+46o=NqsN
-----END PGP SIGNATURE-----




_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Xen devel - Jan 2013 - Xen Security Advisory 27 (CVE-2012-5511, CVE-2012-6333) - several HVM operations do not validate the range of their inputs

Xen Security Advisory 27 (CVE-2012-5511, CVE-2012-6333) - several HVM operations do not validate the range of their inputs