|Public release ||2015-06-11 12:00|
|Updated ||2015-06-11 12:28|
|Title ||GNTTABOP_swap_grant_ref operation misbehavior|
Filesadvisory-134.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2015-4163 / XSA-134
GNTTABOP_swap_grant_ref operation misbehavior
UPDATES IN VERSION 3
Added email header syntax to patches, for e.g. git-am.
With the introduction of version 2 grant table operations, a version
check became necessary for most grant table related hypercalls. The
GNTTABOP_swap_grant_ref call was lacking such a check. As a result,
the subsequent code behaved as if version 2 was in use, when a guest
issued this hypercall without a prior GNTTABOP_setup_table or
The effect is a possible NULL pointer dereferences. However, this
cannot be exploited to elevate privileges of the attacking domain, as
the maximum memory address that can be wrongly accessed this way is
bounded to far below the start of hypervisor memory.
Malicious or buggy guest domain kernels can mount a denial of service
attack which, if successful, can affect the whole system.
Xen versions from 4.2 onwards are vulnerable.
There is no mitigation available.
This issue was discovered by Jan Beulich of SUSE.
Applying the attached patch resolves this issue.
xsa134.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa134*.patch
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team