-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2012-5514 / XSA-30 version 5 Broken error handling in guest_physmap_mark_populate_on_demand() UPDATES IN VERSION 5 ==================== Fix patch name. ISSUE DESCRIPTION ================= guest_physmap_mark_populate_on_demand(), before carrying out its actual operation, checks that the subject GFNs are not in use. If that check fails, the code prints a message and bypasses the gfn_unlock() matching the gfn_lock() carried out before entering the loop. Further, the function is exposed to the use of guests on their own behalf. While we believe that this does not cause any further issues, we have not conducted a thorough enough review to be sure. Rather, it should be exposed only to privileged domains. IMPACT ====== A malicious guest administrator can cause Xen to hang. VULNERABLE SYSTEMS ================== All Xen version from 3.4 on are vulnerable. The vulnerability is only exposed by HVM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa30-4.1.patch Xen 4.1.x xsa30-4.2.patch Xen 4.2.x xsa30-unstable.patch xen-unstable $ sha256sum xsa30*.patch 586adda04271e91e42f42bb53636e2aa6fc7379e2c2c4b825e7ec6e34350669e xsa30-4.1.patch c410bffb90a551be30fde5ec4593c361b69e9c261878255fdb4f8447e7177418 xsa30-4.2.patch 2270eed8b89e4e28c4c79e5a284203632a7189474d6f0a6152d6cf56b287497b xsa30-unstable.patch $ -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+YMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZCLQH/2xX8oaAnBh1XYAVWHSbQ/fUt4qeNkmnrj9g4puD AzbPv0ECHGjFOog2hKG4iO1cL22AExWaO3Ey4J4jiEvR7CADODbnlGQPWRSmRuvF I+t0MEXHkSGrKbXiEWT6AxNwTF+FVjfhWlXKbKA9cIqbi+dqH9fVa6uTAQ0uAd07 0ctoo5TGyCMEDbQildOfYVKXA8nZo+ysxwo4WZOhbwbrPZgbhiBcxOsZf2K9LUKt 80L800hRJ1Q2qKeGClD5f+LOVp2mn0rgop0kdWv2vofovR9j7rJs+EsHbzHANAjz VGlIrAVnDxivR2Mi6SQeJ1X5koK0WTDwBI4jMDNOoBld/EM= =kkUE -----END PGP SIGNATURE-----