Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 05 Sep 2012 11:12:43 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 16 (CVE-2012-3498) - PHYSDEVOP_map_pirq
 index vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2012-3498 / XSA-16
                             version 3

               PHYSDEVOP_map_pirq index vulnerability

UPDATES IN VERSION 3
====================

Public release.  Credit Matthew Daley.

ISSUE DESCRIPTION
=================

PHYSDEVOP_map_pirq with MAP_PIRQ_TYPE_GSI does not range check
map->index.

IMPACT
======

A malicious HVM guest kernel can crash the host.  It might also be
able to read hypervisor or guest memory.

VULNERABLE SYSTEMS
==================

All Xen systems running HVM guests.  PV guests are not vulnerable.

The vulnerability dates back to Xen 4.1.  Xen 4.0 is not vulnerable.
4.1, the 4.2 RCs, and xen-unstable.hg are vulnerable.

MITIGATION
==========

This issue can be mitigated by ensuring that the guest kernel is
trustworthy, or by running only PV guests.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

CREDIT
======

Thanks to Matthew Daley for finding this vulnerability (and that in
XSA-12) and notifying the Xen.org security team.

PATCH INFORMATION
=================

The attached patches resolve this issue

  Xen unstable                                  xsa16-unstable.patch
  Xen 4.1, 4.1.x                                xsa16-xen-4.1.patch

$ sha256sum xsa16-*.patch
f8db42898620112c8e77bf116645d650b3671d4ccc49adcad09c7b4591d55cab  xsa16-unstable.patch
4b76d554b23977443209e45d3a2404d63695eb3020ff87a8e16e5e25cbddff31  xsa16-xen-4.1.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQRyVFAAoJEIP+FMlX6CvZkqkH/2k5sdGWVThawtjkpTfx8L3T
d0QnlJYstbvGxNkRvaafj32jApGkHWwr/Rd4w1MPxXXJOU6bmXjKKXAugVj0wl5Z
PZeVtek46S3sSNCavLH7kL1SVZoCikEH2+kv9edGhKOXxO3C+8FkM+HvoZU7tQco
ppUhEfINP9WidXlWSEmK2nhZdvrLW7KeqHTQmwx6AC1mUE0YdaF2oTZRPyOgRwIx
quYJ3hLiQiQD3eUV56iqNO19/D4jpPibBG33yurdzahRivuLTb7XD+QfKfEDZ1WC
SVqIRJha84QBjHLTtPIgmjyF8ysUXnPLol1NTxpIBFX98OCw9Ery0Zic/poFjcc=
=7hrh
-----END PGP SIGNATURE-----

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ