Xen.org security team
2012-Sep-05 10:13 UTC
Xen Security Advisory 13 (CVE-2012-3495) - hypercall physdev_get_free_pirq vulnerability
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3495 / XSA-13 version 3 hypercall physdev_get_free_pirq vulnerability UPDATES IN VERSION 3 =================== Public release. Credit Matthew Daley. ISSUE DESCRIPTION ================ PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq succeeded, and if it fails will use the error code as an array index. IMPACT ===== A malicious guest might be able to cause the host to crash, leading to a DoS, depending on the exact memory layout. Privilege escalation is a theoretical possibility which cannot be ruled out, but is considered unlikely. VULNERABLE SYSTEMS ================= All Xen systems. Xen 4.1 is vulnerable. Other versions of Xen are not vulnerable. MITIGATION ========= This issue can be mitigated by ensuring (inside the guest) that the kernel is trustworthy and avoiding situations where something might repeatedly cause the attempted allocation of a physical irq. RESOLUTION ========= Applying the appropriate attached patch will resolve the issue. CREDIT ===== Thanks to Matthew Daley for finding this vulnerability (and that in XSA-12) and notifying the Xen.org security team. PATCH INFORMATION ================ The attached patches resolve this issue Xen 4.1, 4.1.x xsa13-xen-4.1.patch $ sha256sum xsa13-*.patch ad6e3e40ff56c7c25a94d8d9763d4b49f07802b90b4362ddbe4c86bf285c1239 xsa13-xen-4.1.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRyVqAAoJEIP+FMlX6CvZjrcH/A0xq4dTMtJpUc1WHyUi2aXd 5ap+AA8w0XHLdosXnbxnsTCSsAdkUeBlPkqZAoGxrCGYrzP83T0cPrz8qjzN64KE Jaei9prTk7VFHa9aAz3OqFYjYd/d21CxI4goGJ4Z0tygys4lmkDeex2kEAj5dq7b 0FLj6aIAVFYI3mWMztx4poOrz/BSCMk1YtrV5hZaY8i7Y6nhaOsPISveS0Dv4FPm YDGc93ykhOwEWCNqWFQGVndRihgUWQIUcb7f2SUfOC/FvbcJHGlP4Aojl4LUePqM bi/CR9cPESr7x1+1vcGUZybXALsRMBCJPrx1td3OCgqx8bwAbsQIszuFaWTtajY=s7wG -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users