mailing list archives
Xen Security Advisory 25 (CVE-2012-4544,CVE-2012-2625) - Xen domain builder Out-of-memory due to malicious kernel/ramdisk
From: Xen.org security team <security () xen org>
Date: Tue, 13 Nov 2012 12:56:23 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2012-4544,CVE-2012-2625 / XSA-25
Xen domain builder Out-of-memory due to malicious kernel/ramdisk
UPDATES IN VERSION 2
Clarify that XSA-25 is reporting, via the Xen.org security process,
both CVE-2012-4544 and CVE-2012-2625.
Also we would like to apologise for the fact that xen-announce's copy
of version 1 of this advisory was delayed in mailing list moderation.
The Xen PV domain builder contained no validation of the size of the
supplied kernel or ramdisk either before or after decompression. This
could cause the toolstack to consume all available RAM in the domain
running the domain builder. (CVE-2012-4544)
Additionally, under similar circumstances pygrub consume excessive
amount of memory under similar circumstances to the above.
A malicious guest administrator who can supply a kernel or ramdisk can
exhaust memory in domain 0 leading to a denial of service attack.
All versions of Xen are vulnerable.
Running only trusted kernels and ramdisks will avoid these
Using pvgrub also avoids these vulnerabilities since the builder will
run in guest context. (nb: use of pygrub *is* vulnerable).
Running only HVM guests will avoid these vulnerabilities.
Applying the appropriate attached patch resolves these issues.
The pygrub problem (CVE-2012-2625) was fixed in xen-unstable (and the
fix inherited by Xen 4.2.x) in revision 25589:60f09d1ab1fe but not
called out as a security problem. This fix is also included, where
necessary, in the patches below.
xsa25-unstable.patch Xen unstable
xsa25-4.2.patch Xen 4.2.x
xsa25-4.1.patch Xen 4.1.x
$ sha256sum xsa25*.patch
Note that these patches impose a new size limit of 1Gby on both the
compressed and uncompressed sizes of ramdisks. On some systems it may
be desirable to relax these limits and risk virtual address or memory
exhaustion in the toolstack. This can be achieved by setting
XC_DOM_DECOMPRESS_MAX to the desired limit (in bytes). This can be
done by building with "APPEND_CFLAGS=-DXC_DOM_DECOMPRESS_MAX=<limit>"
or by editing tools/libxc/xc_dom.h directly.
NOTE REGARDING LACK OF EMBARGO
These issues have already been discussed in public in various places,
and http://bugs.debian.org/688125. This advisory is therefore not
subject to an embargo.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
- Xen Security Advisory 25 (CVE-2012-4544,CVE-2012-2625) - Xen domain builder Out-of-memory due to malicious kernel/ramdisk Xen . org security team (Nov 13)