Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 05 Sep 2012 11:14:11 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 18 (CVE-2012-3516) - grant table entry
 swaps have inadequate bounds checking

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2012-3516 / XSA-18
                           version 2

       grant table entry swaps have inadequate bounds checking

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The grant table hypercall's GNTTABOP_swap_grant_ref sub-operation does
not perform adequate checks on the input grant references.

IMPACT
======

A malicious guest kernel or administrator can crash the host.

It may be possible for an attacker to swap a valid grant reference,
which they control, with an invalid one allowing them to write
abitrary values to hypervisor memory. This could potentially lead to a
privilege escalation.

VULNERABLE SYSTEMS
==================

Xen-unstable, including Xen 4.2 release candidates are vulnerable to
this issue.

Xen 4.1 and earlier do not include this hypercall and are therefore
not vulnerable.

MITIGATION
==========

The only mitigation is not to run guests which have untrusted
administrators.

RESOLUTION
==========

Applying the attached patch will resolve the issue.

PATCH INFORMATION
=================

The attached patch resolves this issue

    Xen unstable                               xsa18-unstable.patch

$ sha256sum xsa18-unstable.patch
ad354a1964fc52b0e48d405514156935cc8dfcb5bdaee307e3e74afcc0ca8914  xsa18-unstable.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQRzP3AAoJEIP+FMlX6CvZ350H/jfmrx6a1pNYF3KYtVVIXu1y
ZERi/qxji162XGvB+7gdq+IdhLYAeWXRFF309U1FwcRxaQJPRAT024q6Hs+ITr9i
L7OnSP9s+UHT4251X3UlOnEfQyKF6NKJIYbamQbfVIvVPdUtNLj4SKYqxlvjyyc3
DpqiARD5f9+i7OkcojvhXszlbMgbpSQ8TYCW5De0dTkZgKQYq2hRuYf/1hmZ1lJt
vFEkTCFxO7uxoH6gulyuEjszDYFAUmE3xdxKbT11mIkwnS1wfgp4Ob5H0ioSDNJo
oOxqt4KsuNXHDW/B8QlxnQejKBL0INtmOjh7GMox4bvxg4gP57ZlDweC2lkR37c=
=dD8C
-----END PGP SIGNATURE-----

Download attachment "xsa18-unstable.patch" of type "application/octet-stream" (1368 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.