Date: Mon, 03 Dec 2012 17:51:45 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 28 (CVE-2012-5512) - HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5512 / XSA-28 version 3 HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The HVMOP_set_mem_access operation handler uses an input as an array index before range checking it. IMPACT ====== A malicious guest administrator can cause Xen to crash. If the out of array bounds access does not crash, the arbitrary value read will be used if the caller reads back the default access through the HVMOP_get_mem_access operation, thus causing an information leak. The caller cannot, however, directly control the address from which to read, since the value read in the first step will be used as an array index again in the second step. VULNERABLE SYSTEMS ================== Only Xen version 4.1 is vulnerable. The vulnerability is only exposed to HVM guests. MITIGATION ========== Running only PV guests, or ensuring that the controlling domain of HVM guests (e.g. dom0 or stubdom) only uses trusted code, will avoid this vulnerability. RESOLUTION ========== The attached patch resolves this issue. $ sha256sum xsa28*.patch 6282314c4ea0d76ac55473e5fc7d863e045c9f566899eb93c60e5d22f38e8319 xsa28-4.1.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ2AAoJEIP+FMlX6CvZDfEH/jKbLcOY6taduyPubvWjLqUj 5moVGJMcdTUnjEOe4TH6zcax4Ce98J5BptHjCkeIIm4A70bcdfFR7Kb8i1Pr1ZA6 jpo/fbDtn4+YVAJrMlZWhPspJU2lZSSYc+Tu3eVrX78OX4RZ/Ubb+KRGhaSkRn/a r14VFvNBwhSmOXFXqFI0IiCRJBctyLOxF32P3lZB3PXUepxsezjrUeYKKZ6qGkSX kdufkWYgZV4iKpb8WEwDOdWbs/hE7ru6vHCEE798T8I7BscQF+O8B+2ewVK/iCoo AgjGkqWsKhc119lSjdud8LP3A4cXWhhuHSOlmIc+gNz91IsvG3DErzQizc0wtLk= =GkYq -----END PGP SIGNATURE----- Download attachment "xsa28-4.1.patch" of type "application/octet-stream" (1352 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.