Home page logo
/

oss-sec logo oss-sec mailing list archives

Xen Security Advisory 13 (CVE-2012-3495) - hypercall physdev_get_free_pirq vulnerability
From: Xen.org security team <security () xen org>
Date: Wed, 5 Sep 2012 11:13:31 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2012-3495 / XSA-13
                             version 3

           hypercall physdev_get_free_pirq vulnerability

UPDATES IN VERSION 3
====================

Public release.  Credit Matthew Daley.

ISSUE DESCRIPTION
=================

PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq
succeeded, and if it fails will use the error code as an array index.

IMPACT
======

A malicious guest might be able to cause the host to crash, leading to
a DoS, depending on the exact memory layout.  Privilege escalation is
a theoretical possibility which cannot be ruled out, but is considered
unlikely.

VULNERABLE SYSTEMS
==================

All Xen systems.

Xen 4.1 is vulnerable.  Other versions of Xen are not vulnerable.

MITIGATION
==========

This issue can be mitigated by ensuring (inside the guest) that the
kernel is trustworthy and avoiding situations where something might
repeatedly cause the attempted allocation of a physical irq.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

CREDIT
======

Thanks to Matthew Daley for finding this vulnerability (and that in
XSA-12) and notifying the Xen.org security team.

PATCH INFORMATION
=================

The attached patches resolve this issue

  Xen 4.1, 4.1.x                           xsa13-xen-4.1.patch

$ sha256sum xsa13-*.patch
ad6e3e40ff56c7c25a94d8d9763d4b49f07802b90b4362ddbe4c86bf285c1239  xsa13-xen-4.1.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQRyVqAAoJEIP+FMlX6CvZjrcH/A0xq4dTMtJpUc1WHyUi2aXd
5ap+AA8w0XHLdosXnbxnsTCSsAdkUeBlPkqZAoGxrCGYrzP83T0cPrz8qjzN64KE
Jaei9prTk7VFHa9aAz3OqFYjYd/d21CxI4goGJ4Z0tygys4lmkDeex2kEAj5dq7b
0FLj6aIAVFYI3mWMztx4poOrz/BSCMk1YtrV5hZaY8i7Y6nhaOsPISveS0Dv4FPm
YDGc93ykhOwEWCNqWFQGVndRihgUWQIUcb7f2SUfOC/FvbcJHGlP4Aojl4LUePqM
bi/CR9cPESr7x1+1vcGUZybXALsRMBCJPrx1td3OCgqx8bwAbsQIszuFaWTtajY=
=s7wG
-----END PGP SIGNATURE-----

Attachment: xsa13-xen-4.1.patch
Description:


  By Date           By Thread  

Current thread:
  • Xen Security Advisory 13 (CVE-2012-3495) - hypercall physdev_get_free_pirq vulnerability Xen . org security team (Sep 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault