Xen project Mailing List

[Xen-announce] Xen Security Advisory 13 (CVE-2012-3495) - hypercall physdev_get_free_pirq vulnerability

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Wed, 5 Sep 2012 11:13:31 +0100

Cc: "Xen.org security team" <security@xxxxxxx>

Delivery-date: Wed, 05 Sep 2012 10:18:51 +0000

List-id: "Xen announcements $low volume$" <xen-announce.lists.xen.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3495 / XSA-13 version 3 hypercall physdev_get_free_pirq vulnerability UPDATES IN VERSION 3 ==================== Public release. Credit Matthew Daley. ISSUE DESCRIPTION ================= PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq succeeded, and if it fails will use the error code as an array index. IMPACT ====== A malicious guest might be able to cause the host to crash, leading to a DoS, depending on the exact memory layout. Privilege escalation is a theoretical possibility which cannot be ruled out, but is considered unlikely. VULNERABLE SYSTEMS ================== All Xen systems. Xen 4.1 is vulnerable. Other versions of Xen are not vulnerable. MITIGATION ========== This issue can be mitigated by ensuring (inside the guest) that the kernel is trustworthy and avoiding situations where something might repeatedly cause the attempted allocation of a physical irq. RESOLUTION ========== Applying the appropriate attached patch will resolve the issue. CREDIT ====== Thanks to Matthew Daley for finding this vulnerability (and that in XSA-12) and notifying the Xen.org security team. PATCH INFORMATION ================= The attached patches resolve this issue Xen 4.1, 4.1.x xsa13-xen-4.1.patch $ sha256sum xsa13-*.patch ad6e3e40ff56c7c25a94d8d9763d4b49f07802b90b4362ddbe4c86bf285c1239 xsa13-xen-4.1.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRyVqAAoJEIP+FMlX6CvZjrcH/A0xq4dTMtJpUc1WHyUi2aXd 5ap+AA8w0XHLdosXnbxnsTCSsAdkUeBlPkqZAoGxrCGYrzP83T0cPrz8qjzN64KE Jaei9prTk7VFHa9aAz3OqFYjYd/d21CxI4goGJ4Z0tygys4lmkDeex2kEAj5dq7b 0FLj6aIAVFYI3mWMztx4poOrz/BSCMk1YtrV5hZaY8i7Y6nhaOsPISveS0Dv4FPm YDGc93ykhOwEWCNqWFQGVndRihgUWQIUcb7f2SUfOC/FvbcJHGlP4Aojl4LUePqM bi/CR9cPESr7x1+1vcGUZybXALsRMBCJPrx1td3OCgqx8bwAbsQIszuFaWTtajY= =s7wG -----END PGP SIGNATURE-----

Attachment: xsa13-xen-4.1.patch
Description: Binary data

_______________________________________________ Xen-announce mailing list Xen-announce@xxxxxxxxxxxxx http://lists.xen.org/xen-announce

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.