-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

      Xen Security Advisory CVE-2012-5511,CVE-2012-6333 / XSA-27
                               version 6

   several HVM operations do not validate the range of their inputs

UPDATES IN VERSION 6
====================

Fix patch name.

ISSUE DESCRIPTION
=================

Several HVM control operations do not check the size of their inputs
and can tie up a physical CPU for extended periods of time.

In addition dirty video RAM tracking involves clearing the bitmap
provided by the domain controlling the guest (e.g. dom0 or a
stubdom). If the size of that bitmap is overly large, an intermediate
variable on the hypervisor stack may overflow that stack.

IMPACT
======

A malicious guest administrator can cause Xen to become unresponsive
or to crash leading in either case to a Denial of Service.

VULNERABLE SYSTEMS
==================

All Xen versions from 3.4 onwards are vulnerable.

However Xen 4.2 and unstable are not vulnerable to the stack
overflow. Systems running either of these are not vulnerable to the
crash.

Version 3.4, 4.0 and 4.1 are vulnerable to both the stack overflow and
the physical CPU hang.

The vulnerability is only exposed to HVM guests.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa27-4.1.patch             Xen 4.1.x
xsa27-4.2.patch             Xen 4.2.x
xsa27-unstable.patch        xen-unstable


$ sha256sum xsa27*.patch
82c9160484165acdebf91e8d80538829c756cf5abc2d8d890c8b4abd9aa4800a  xsa27-4.1.patch
462eae827944d1d337a6ebf13a36ea952d7fb76b993b9c29946e1d9cfb5ea2a3  xsa27-4.2.patch
fcb07c6bd78a0d9513a68e2eb3bf0c21ef4d8ff0e6ebf6fdce04a3170303cab6  xsa27-unstable.patch
$
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+YMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZsBsH/AvSWPJ5qd4pLmoBP/HtTPk20cdtay0aCv0xQm5a
u7kxLuxSJwyxIML0ZWpQyMQC+I6jX1CHy9x7t5gDCJdXK+o8qS+K9P7PS5ckHd3b
dUrPBt79TsXRZo4agcuMkgboWvVxuG3bsW9TV0WE5WkkfoeOUquauA9lBxYsUug3
8r3PUFv1Ffevuxypz+ZuwYWe57A6PNzqjXoUN1yU8dbp5QpMz8S7ItaLZPZ7pDYG
ynDSO7W5iRbOVHdX488bvr1aAmQSAx5Y/6tK6yjXPziKJwBRYeWo+787027V4Pj5
BOxBwAqlVqBbEKsTTa3si78xGdSMvN598hjmzB1mVn5gQzs=
=cf0p
-----END PGP SIGNATURE-----