[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 32 (CVE-2012-5525) - several hypercalls do not validate input GFNs



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2012-5525 / XSA-32
                              version 4

             several hypercalls do not validate input GFNs

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

The function get_page_from_gfn does not validate its input GFN. An
invalid GFN passed to a hypercall which uses this function will cause
the hypervisor to read off the end of the frame table and potentially
crash.

IMPACT
======

A malicious guest administrator of a PV guest can cause Xen to crash.
If the out of bounds access does not lead to a crash, a carefully
crafted privilege escalation cannot be excluded, even though the guest
doesn't itself control the values written.

VULNERABLE SYSTEMS
==================

Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are
not vulnerable.

The vulnerability is exposed only to PV guests.

MITIGATION
==========

Running only trusted PV guest kernels will avoid this vulnerability.

Running only HVM guests will avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa32-4.2.patch             Xen 4.2.x, xen-unstable
xsa32-unstable.patch        xen-unstable


$ sha256sum xsa32*.patch
ad25c9298b543ef7af40e9f09cae232d36efc1932804678355ab724a19e3afd9  
xsa32-4.2.patch
734cff82a93f032165ef26633acb30a499cc063141c2b16fccb294703718fcb0  
xsa32-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQvOWxAAoJEIP+FMlX6CvZ9uUH/RM5PGHxWTuFv11kAEJAaQK7
m3dB9GZvjRo/zcRTrSQX2JCumM8rwXffNR9oUHQkC3WxRPjyNRdsiI02sSRLSDAh
q2tsalK1PpFNX2DRrOezWrkBA2zR7pnGe3sCzgO3sGGpqMMoG5+u6/IcZHu86LGm
zk+e0hMHtuurz6+uB0w8TJoLge4XSTw0K3ck70vCL4ysKmyOcEWcAgDmNA+OwnQ8
duw4UGkXLrxCF1X7RbAh31lUWPSLxPvxsytja+78/9ggpQRxZkF5x6T4oABcZ7jg
vjzYkNN3MdN41RIbmZps1SECLm/SKoOvsBxfOJArf0DYgVmJloxZrLK4TyquCDk=
=oEp3
-----END PGP SIGNATURE-----

Attachment: xsa32-4.2.patch
Description: Binary data

Attachment: xsa32-unstable.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.