|Public release ||2014-09-09 12:30|
|Updated ||2014-09-11 10:07|
|Title ||Mishandling of uninitialised FIFO-based event channel control blocks|
Filesadvisory-107.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2014-6268 / XSA-107
Mishandling of uninitialised FIFO-based event channel control blocks
UPDATES IN VERSION 2
When using the FIFO-based event channels, there are no checks for the
existence of a control block when binding an event or moving it to a
different VCPU. This is because events may be bound when the ABI is
in 2-level mode (e.g., by the toolstack before the domain is started).
The guest may trigger a Xen crash in evtchn_fifo_set_pending() if:
a) the event is bound to a VCPU without a control block; or
b) VCPU 0 does not have a control block.
In case (a), Xen will crash when looking up the current queue. In
(b), Xen will crash when looking up the old queue (which defaults to a
queue on VCPU 0).
A buggy or malicious guest can crash the host.
Xen 4.4 and onward are vulnerable.
This issue was originally reported by Vitaly Kuznetsov at Red Hat and
diagnosed as a security issue by David Vrabel at Citrix.
NOTE REGARDING LACK OF EMBARGO
This bug was publicly reported on xen-devel, before it was appreciated
that there was a security problem.
Applying the appropriate attached patch resolves this issue.
xsa107-4.4.patch Xen 4.4.x
$ sha256sum xsa107*.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team