Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 5 Sep 2012 11:13:31 +0100
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 13 (CVE-2012-3495) - hypercall
 physdev_get_free_pirq vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2012-3495 / XSA-13
                             version 3

           hypercall physdev_get_free_pirq vulnerability

UPDATES IN VERSION 3
====================

Public release.  Credit Matthew Daley.

ISSUE DESCRIPTION
=================

PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq
succeeded, and if it fails will use the error code as an array index.

IMPACT
======

A malicious guest might be able to cause the host to crash, leading to
a DoS, depending on the exact memory layout.  Privilege escalation is
a theoretical possibility which cannot be ruled out, but is considered
unlikely.

VULNERABLE SYSTEMS
==================

All Xen systems.

Xen 4.1 is vulnerable.  Other versions of Xen are not vulnerable.

MITIGATION
==========

This issue can be mitigated by ensuring (inside the guest) that the
kernel is trustworthy and avoiding situations where something might
repeatedly cause the attempted allocation of a physical irq.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

CREDIT
======

Thanks to Matthew Daley for finding this vulnerability (and that in
XSA-12) and notifying the Xen.org security team.

PATCH INFORMATION
=================

The attached patches resolve this issue

  Xen 4.1, 4.1.x                           xsa13-xen-4.1.patch

$ sha256sum xsa13-*.patch
ad6e3e40ff56c7c25a94d8d9763d4b49f07802b90b4362ddbe4c86bf285c1239  xsa13-xen-4.1.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQRyVqAAoJEIP+FMlX6CvZjrcH/A0xq4dTMtJpUc1WHyUi2aXd
5ap+AA8w0XHLdosXnbxnsTCSsAdkUeBlPkqZAoGxrCGYrzP83T0cPrz8qjzN64KE
Jaei9prTk7VFHa9aAz3OqFYjYd/d21CxI4goGJ4Z0tygys4lmkDeex2kEAj5dq7b
0FLj6aIAVFYI3mWMztx4poOrz/BSCMk1YtrV5hZaY8i7Y6nhaOsPISveS0Dv4FPm
YDGc93ykhOwEWCNqWFQGVndRihgUWQIUcb7f2SUfOC/FvbcJHGlP4Aojl4LUePqM
bi/CR9cPESr7x1+1vcGUZybXALsRMBCJPrx1td3OCgqx8bwAbsQIszuFaWTtajY=
=s7wG
-----END PGP SIGNATURE-----

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ