Date: Wed, 05 Sep 2012 11:12:43 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 16 (CVE-2012-3498) - PHYSDEVOP_map_pirq index vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3498 / XSA-16 version 3 PHYSDEVOP_map_pirq index vulnerability UPDATES IN VERSION 3 ==================== Public release. Credit Matthew Daley. ISSUE DESCRIPTION ================= PHYSDEVOP_map_pirq with MAP_PIRQ_TYPE_GSI does not range check map->index. IMPACT ====== A malicious HVM guest kernel can crash the host. It might also be able to read hypervisor or guest memory. VULNERABLE SYSTEMS ================== All Xen systems running HVM guests. PV guests are not vulnerable. The vulnerability dates back to Xen 4.1. Xen 4.0 is not vulnerable. 4.1, the 4.2 RCs, and xen-unstable.hg are vulnerable. MITIGATION ========== This issue can be mitigated by ensuring that the guest kernel is trustworthy, or by running only PV guests. RESOLUTION ========== Applying the appropriate attached patch will resolve the issue. CREDIT ====== Thanks to Matthew Daley for finding this vulnerability (and that in XSA-12) and notifying the Xen.org security team. PATCH INFORMATION ================= The attached patches resolve this issue Xen unstable xsa16-unstable.patch Xen 4.1, 4.1.x xsa16-xen-4.1.patch $ sha256sum xsa16-*.patch f8db42898620112c8e77bf116645d650b3671d4ccc49adcad09c7b4591d55cab xsa16-unstable.patch 4b76d554b23977443209e45d3a2404d63695eb3020ff87a8e16e5e25cbddff31 xsa16-xen-4.1.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRyVFAAoJEIP+FMlX6CvZkqkH/2k5sdGWVThawtjkpTfx8L3T d0QnlJYstbvGxNkRvaafj32jApGkHWwr/Rd4w1MPxXXJOU6bmXjKKXAugVj0wl5Z PZeVtek46S3sSNCavLH7kL1SVZoCikEH2+kv9edGhKOXxO3C+8FkM+HvoZU7tQco ppUhEfINP9WidXlWSEmK2nhZdvrLW7KeqHTQmwx6AC1mUE0YdaF2oTZRPyOgRwIx quYJ3hLiQiQD3eUV56iqNO19/D4jpPibBG33yurdzahRivuLTb7XD+QfKfEDZ1WC SVqIRJha84QBjHLTtPIgmjyF8ysUXnPLol1NTxpIBFX98OCw9Ery0Zic/poFjcc= =7hrh -----END PGP SIGNATURE----- Download attachment "xsa16-unstable.patch" of type "application/octet-stream" (936 bytes) Download attachment "xsa16-xen-4.1.patch" of type "application/octet-stream" (1054 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.