Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 03 Dec 2012 17:51:45 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 29 (CVE-2012-5513) - XENMEM_exchange may
 overwrite hypervisor memory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2012-5513 / XSA-29
                             version 3

           XENMEM_exchange may overwrite hypervisor memory

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The handler for XENMEM_exchange accesses guest memory without range checking
the guest provided addresses, thus allowing these accesses to include the
hypervisor reserved range.

IMPACT
======

A malicious guest administrator can cause Xen to crash.  If the out of address
space bounds access does not lead to a crash, a carefully crafted privilege
escalation cannot be excluded, even though the guest doesn't itself control
the values written.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

The vulnerability is only exposed to PV guests.

MITIGATION
==========

Running only HVM guests, or ensuring that PV guests only use trusted kernels,
will avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa29-4.1.patch             Xen 4.1.x
xsa29-4.2-unstable.patch    Xen 4.2.x, xen-unstable


$ sha256sum xsa29*.patch
7246a5534bc1e6a47bb6a860f6eb61c8353ad8b46209310783e823b4f7e2eae8  xsa29-4.1.patch
54dcd3ac5c84903bfb04f8591107a74c27b079815f2c6843212e05f776873c73  xsa29-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQvOJ3AAoJEIP+FMlX6CvZ7u8IAM01+jNn5fwdGmoo/LIdH885
nWr5aSc+qMqVuSvla0KKh1SOLFaVWFgovLN1Sfu2hAxLgrK3HxN86RqHU/vLo0k0
KTFM+9xQlxhJNQzyQSiDryH/qSrHTQI6ERxUEYgfjtTieK8y30SZqkd6jBmwoir/
nAMMP8oFmVevM2WfYEWjNNsWPaiUlUYP13qxiWGPcGzhcNNKRwcmrIY4N+F6kHID
Ipl4l5vhoeSaQ0fKkcJKHa+3QGd+706jHZ5VTCwPdWBCnBJLFuMWbc2UlyIg2EB9
N+3Olwf3jCF0zIzBJkomA+FAg+D7kw31DCjc+y1PdGIyuoMkk+JRwYFVkZcKLi4=
=pD8C
-----END PGP SIGNATURE-----

Download attachment "xsa29-4.1.patch" of type "application/octet-stream" (2087 bytes)

Download attachment "xsa29-4.2-unstable.patch" of type "application/octet-stream" (2099 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.