[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 24 (CVE-2012-4539) - Grant table hypercall infinite loop DoS vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 Xen Security Advisory CVE-2012-4539 / XSA-24
                                version 2

              Grant table hypercall infinite loop DoS vulnerability

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Due to inappropriate duplicate use of the same loop control variable,
passing bad arguments to GNTTABOP_get_status_frames can cause an
infinite loop in the compat hypercall handler.

IMPACT
======

A malicious guest administrator can trigger the bug.  If the Xen
watchdog is enabled, the whole system will crash.  Otherwise the guest
can cause the system to become completely unresponsive.

VULNERABLE SYSTEMS
==================

Xen versions 4.0 and onwards are vulnerable.  Earlier released Xen
versions are not vulnerable.

Only 32-bit x86 PV guests, running on 64-bit Xen hypervisors,
introduce the vulnerability.

MITIGATION
==========

Running only 64-bit guests, or (in previous Xen versions) running a
32-bit hypervisor (which supports only 32-bit guests), will avoid this
vulnerability.

Note however that if in a 64-bit Xen system the guest kernel image
file is under the control of the guest administrator, the guest
administrator will normally be able to control whether the guest is
32-bit or 64-bit by supplying a different kernel image.

Running only HVM guests will avoid this vulnerability.

RESOLUTION
==========

The attached patch resolves this issue.  The same patch is applicable
to all affected versions.

$ sha256sum xsa24.patch
2963dff4dbc08aab4278215d74c2cce365972f213453bb7c513d097a838de196  xsa24.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQokGvAAoJEIP+FMlX6CvZ0HAH/jy7Id9Ai1ZJSou6xu6USdQP
QyaT6BnWzIA8ziatcnRzq5YHW+Occ4g4+9fU92zHpVsFGF5mAN9/aq83xLHoFHkb
TPH/+xNCRz50zfQ21VTejr6jFlfiO6S1y/4bxVYfohtoevijo5tpRo+OYdFZXMM8
psagcYXHgOsUy95pFsPBbwg6bh0S/ffDfZnyK3LZCP3J/Xx82kj7Du/HgKcM9lDx
gk/q0VjFM6M/utxyn2gQlFGbX8YFfoytb9WzcrQdcPf4Ubu/jGUykm1BS/+IrXHs
C9BtBa6w+k2T6dZgRmseeOjy0PgiEYKrqYhwAG1VC8F+RMLpAmtNGJS3gatwFHE=
=IoWx
-----END PGP SIGNATURE-----

Attachment: xsa24.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.