Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 05 Sep 2012 11:14:11 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 18 (CVE-2012-3516) - grant table entry
 swaps have inadequate bounds checking

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2012-3516 / XSA-18
                           version 2

       grant table entry swaps have inadequate bounds checking

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The grant table hypercall's GNTTABOP_swap_grant_ref sub-operation does
not perform adequate checks on the input grant references.

IMPACT
======

A malicious guest kernel or administrator can crash the host.

It may be possible for an attacker to swap a valid grant reference,
which they control, with an invalid one allowing them to write
abitrary values to hypervisor memory. This could potentially lead to a
privilege escalation.

VULNERABLE SYSTEMS
==================

Xen-unstable, including Xen 4.2 release candidates are vulnerable to
this issue.

Xen 4.1 and earlier do not include this hypercall and are therefore
not vulnerable.

MITIGATION
==========

The only mitigation is not to run guests which have untrusted
administrators.

RESOLUTION
==========

Applying the attached patch will resolve the issue.

PATCH INFORMATION
=================

The attached patch resolves this issue

    Xen unstable                               xsa18-unstable.patch

$ sha256sum xsa18-unstable.patch
ad354a1964fc52b0e48d405514156935cc8dfcb5bdaee307e3e74afcc0ca8914  xsa18-unstable.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQRzP3AAoJEIP+FMlX6CvZ350H/jfmrx6a1pNYF3KYtVVIXu1y
ZERi/qxji162XGvB+7gdq+IdhLYAeWXRFF309U1FwcRxaQJPRAT024q6Hs+ITr9i
L7OnSP9s+UHT4251X3UlOnEfQyKF6NKJIYbamQbfVIvVPdUtNLj4SKYqxlvjyyc3
DpqiARD5f9+i7OkcojvhXszlbMgbpSQ8TYCW5De0dTkZgKQYq2hRuYf/1hmZ1lJt
vFEkTCFxO7uxoH6gulyuEjszDYFAUmE3xdxKbT11mIkwnS1wfgp4Ob5H0ioSDNJo
oOxqt4KsuNXHDW/B8QlxnQejKBL0INtmOjh7GMox4bvxg4gP57ZlDweC2lkR37c=
=dD8C
-----END PGP SIGNATURE-----

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ