This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] insufficiencies in pv kernel image validation

To: xen devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] insufficiencies in pv kernel image validation
From: MaoXiaoyun <tinnycloud@xxxxxxxxxxx>
Date: Tue, 17 May 2011 00:38:31 +0800
Delivery-date: Mon, 16 May 2011 09:39:22 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
Importance: Normal
In-reply-to: <BAY0-MC2-F46jsbFMAv00186193@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <BAY0-MC2-F46jsbFMAv00186193@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
   Documented in  https://bugzilla.redhat.com/show_bug.cgi?id=696927.
[[[   It has been found that xc_try_bzip2_decode() and xc_try_lzma_decode() decode
routines did not properly check for possible buffer size overflow in the
decoding loop. Specially crafted kernel image file could be created that would
trigger allocation of a small buffer resulting in buffer overflow with user
supplied data.

Additionally, several integer overflows and lack of error/range checking that
could result in the loader reading its own address space or could lead to an
infinite loop have been found.

A privileged DomU user could use these flaws to cause denial of service or,
possibly, execute arbitrary code in Dom0.

Only management domains with 32-bit userland are vulnerable.
 The last line of above,  what is "management domains"?
 Does Xen 4.0/4.1 suffer this bug?
 And any patches available?
Xen-devel mailing list
<Prev in Thread] Current Thread [Next in Thread>