thr3ads.net - Xen users - Xen Security Advisory 58 (CVE-2013-1432) - Page reference counting error due to XSA-45/CVE-2013-1918 fixes [Jun 2013]

If this information is useful, please help other people find it:
Share via:

Xen.org security team

2013-Jun-26 13:19 UTC

Xen Security Advisory 58 (CVE-2013-1432) - Page reference counting error due to XSA-45/CVE-2013-1918 fixes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-1432 / XSA-58
                            version 2

        Page reference counting error due to XSA-45/CVE-2013-1918 fixes

UPDATES IN VERSION 2
===================
Public release.  Credits section added.

ISSUE DESCRIPTION
================
The XSA-45/CVE-2013-1918 patch making error handling paths preemptible broke
page reference counting by not retaining a reference on pages stored for
deferred cleanup. This would lead to the hypervisor prematurely attempting to
free the page, generally crashing upon finding the page still in use.

CREDITS
======
Thanks to Andrew Cooper and the Citrix XenServer team for discovering
and reporting this vulnerability, and helping investigate it.

IMPACT
=====
Malicious or buggy PV guest kernels can mount a denial of service attack
affecting the whole system. It can''t be excluded that this could also
be
exploited to mount a privilege escalation attack.

VULNERABLE SYSTEMS
=================
All Xen versions having the XSA-45/CVE-2013-1918 fixes applied are vulnerable.

The vulnerability is only exposed by PV guests.

MITIGATION
=========
Running only HVM guests, or PV guests with trusted kernels, will avoid this
vulnerability.

RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.

xsa58-4.1.patch             Xen 4.1.x
xsa58-4.2.patch             Xen 4.2.x
xsa58-unstable.patch        xen-unstable

$ sha256sum xsa58*.patch
3623ec87e5a2830f0d41de19a8e448d618954973c3264727a1f3a095f15a8641 
xsa58-4.1.patch
194d6610fc38b767d643e5d58a1268f45921fb35e309b47aca6a388b861311c2 
xsa58-4.2.patch
2c94b099d7144d03c0f7f44e892a521537fc040d11bc46f84a2438eece46a0f5 
xsa58-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRyuoNAAoJEIP+FMlX6CvZY3EH/04uBhD797FdBhCRkq/y1ACc
Dvg1BRZ4lHkURDp97gD4Fdyf95Lw4qtniYBq8H/kpVPWJgN7+Dmj8uoluWhOI62Y
Q7a97CZ3O39VcuNRQnZG8c6dduGwMTzbJMkftG0CcltygAxVVRU4uHSG4+MHQ5PZ
N1xauljWrbw49iZz0shxZv4BA/1MQyuyZGFIpOaYoom0vV67pfrQJ2kgCMDUctmq
WXNkVcOiS7lwS/+++goPIboSEy6UJCIVrhZmL7GhbNfiznlOFVgExMttQRcUDi/D
4SS4ghl3IyB34TwoX1P7TPEeHGbfonObGpzBQNduBIJDM32nqO7P8097XG0j0Tw=aw1s
-----END PGP SIGNATURE-----




_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

Xen users - Jun 2013 - Xen Security Advisory 58 (CVE-2013-1432) - Page reference counting error due to XSA-45/CVE-2013-1918 fixes

Xen Security Advisory 58 (CVE-2013-1432) - Page reference counting error due to XSA-45/CVE-2013-1918 fixes