|Public release ||2012-12-03 17:51|
|Updated ||2013-01-17 12:17|
|CVE(s) ||CVE-2012-5511 CVE-2012-6333|
|Title ||several HVM operations do not validate the range of their inputs|
Filesadvisory-27.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2012-5511,CVE-2012-6333 / XSA-27
several HVM operations do not validate the range of their inputs
UPDATES IN VERSION 5
The supplied patch for 4.1 was found to contain a bug. The patch has
been updated. The incremental fix can be found at
Mitre have asked that two CVEs are used for the issues described here:
* CVE-2012-5511 now applies only to the stack-based buffer overflow
that was fixed in 4.2.
* CVE-2012-6333 applies to the large input validation issues.
Several HVM control operations do not check the size of their inputs
and can tie up a physical CPU for extended periods of time.
In addition dirty video RAM tracking involves clearing the bitmap
provided by the domain controlling the guest (e.g. dom0 or a
stubdom). If the size of that bitmap is overly large, an intermediate
variable on the hypervisor stack may overflow that stack.
A malicious guest administrator can cause Xen to become unresponsive
or to crash leading in either case to a Denial of Service.
All Xen versions from 3.4 onwards are vulnerable.
However Xen 4.2 and unstable are not vulnerable to the stack
overflow. Systems running either of these are not vulnerable to the
Version 3.4, 4.0 and 4.1 are vulnerable to both the stack overflow and
the physical CPU hang.
The vulnerability is only exposed to HVM guests.
Running only PV guests will avoid this vulnerability.
Applying the appropriate attached patch resolves this issue.
xsa27-4.1.patch Xen 4.1.x
xsa27-4.2.patch Xen 4.2.x
$ sha256sum xsa27*.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team