-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-4163 / XSA-134 version 3 GNTTABOP_swap_grant_ref operation misbehavior UPDATES IN VERSION 3 ==================== Public release. Added email header syntax to patches, for e.g. git-am. ISSUE DESCRIPTION ================= With the introduction of version 2 grant table operations, a version check became necessary for most grant table related hypercalls. The GNTTABOP_swap_grant_ref call was lacking such a check. As a result, the subsequent code behaved as if version 2 was in use, when a guest issued this hypercall without a prior GNTTABOP_setup_table or GNTTABOP_set_version. The effect is a possible NULL pointer dereferences. However, this cannot be exploited to elevate privileges of the attacking domain, as the maximum memory address that can be wrongly accessed this way is bounded to far below the start of hypervisor memory. IMPACT ====== Malicious or buggy guest domain kernels can mount a denial of service attack which, if successful, can affect the whole system. VULNERABLE SYSTEMS ================== Xen versions from 4.2 onwards are vulnerable. MITIGATION ========== There is no mitigation available. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. xsa134.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa134*.patch fff911a994a5031831cabd574bcba281eff438559706414a1886502eaa05ee12 xsa134.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVeX71AAoJEIP+FMlX6CvZ67gIALM9l5JdS8BN9b1/CsXSr246 kwuTcDX/dmvVeoMMU5tYag5H6HbpFaI4GX5rvTIVS1fqHRygyRCGJmgQQQf2EmOh E6PKeCzfYoUh6t8YoV5RtYFcUA8qPG6AmXjQGU5tbrCgM7kGYcHU+dFHUu7VEoBH 7Rjzwkht/u64nFRJOU7zBLiCc0/yB1K0JystM1m5przdcTTfawl1bdknG3wGxAuk +jSQk6+rBATZgRY3r2mjvUnXvSJfsV/UklRhJCRXT0jz4O+gdgP4AU33RtGx8Evc 64wIORu50Imvo5ZR4yCwElw/TnIJeyY3Nbq6vltMvWhhqxhyNhG+a+t2BrsD8Sc= =sqdZ -----END PGP SIGNATURE-----