Date: Wed, 16 Jan 2013 14:50:11 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 40 (CVE-2013-0190) - Linux stack corruption in xen_failsafe_callback for 32bit PVOPS guests. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0190 / XSA-40 Linux stack corruption in xen_failsafe_callback for 32bit PVOPS guests. ISSUE DESCRIPTION ================= xen_failsafe_callback incorrectly sets up its stack if an iret fault is injected by the hypervisor. IMPACT ====== Malicious or buggy unprivileged userspace can cause the guest kernel to crash, or operate erroneously. VULNERABLE SYSTEMS ================== All 32bit PVOPS versions of Linux are affected, since the introduction of Xen PVOPS support in 2.6.23. Classic-Xen kernels are not vulnerable. MITIGATION ========== This can be mitigated by not running 32bit PVOPS Linux guests. 32bit classic-Xen guests, all 64bit PV guests and all HVM guests are unaffected. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa40.patch $ sha256sum xsa40*.patch b6aa67b4605f6088f757ca28093d265c71e456906619d81d129bf656944ed721 xsa40.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9r4HAAoJEIP+FMlX6CvZhIMIAKa3l8CMZ4Di0gyp1cVi95es 0Pzq8qV5Qwla+NZEuz1O91UAxzwke8mrVsKK9PQCUVqdrmKbIrWjGX3b/KNIoa3d hCGBd1wkTld7XmQxNfr+0BcfybqM92dww623rhv6G2jPaehOMVGWl28vomwkMU9E iT/z2dqYJuAkcq6hobJ02tyfABl5sWNDE+HvI6EFxTptzeUGQtaPm9q6qbdbw1pT InAae/VU7u+qAZTr0MY8kncFiK3206LvJX2Wq6YBI6LCFw4eaOvTFfJiAvFojqQb nl5PT2KXH3IbiZEAiSOENBRiudkzxY0OfGyTnyuwsZuJa7SaI47pN1Sp5YtRPf0= =9uNq -----END PGP SIGNATURE----- Download attachment "xsa40.patch" of type "application/octet-stream" (2107 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.