Information
| Advisory | XSA-50 |
|---|
| Public release | 2013-04-18 15:16 |
|---|
| Updated | 2023-12-15 15:35 |
|---|
| Version | 2 |
|---|
| CVE(s) | CVE-2013-1964 |
|---|
| Title | grant table hypercall acquire/release imbalance |
|---|
Files
advisory-50.txt (signed advisory file)
xsa50-4.1.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2013-1964 / XSA-50
version 2
grant table hypercall acquire/release imbalance
UPDATES IN VERSION 2
====================
Normalize version tags
ISSUE DESCRIPTION
=================
When releasing a non-v1 non-transitive grant after doing a grant copy
operation, Xen incorrectly recurses (as if for a transitive grant) and
releases an unrelated grant reference.
IMPACT
======
A malicious guest administrator can cause undefined behaviour;
depending on the dom0 kernel a host crash is possible, but information
leakage or privilege escalation cannot be ruled out.
VULNERABLE SYSTEMS
==================
Xen 4.0 and 4.1 are vulnerable. Any kind of guest can trigger the
vulnerability.
Xen 4.2 and xen-unstable, as well as Xen 3.x and earlier, are not
vulnerable.
MITIGATION
==========
Using only trustworthy guest kernels will avoid the vulnerability.
Using a debug build of Xen will eliminate the possible information
leak or privilege violation; instead, if the vulnerability is
attacked, Xen will crash.
NOTE REGARDING EMBARGO
======================
A crash resulting from this bug has been reported by a user on the
public xen-devel mailing list. There is therefore no embargo.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa50-4.1.patch Xen 4.1.x, 4.2.x
$ sha256sum xsa50-*.patch
29f76073311a372dd30dd4788447850465d2575d5ff7b2c10912a69e4941fb21 xsa50-4.1.patch
$
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+gMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ5YAH/09hL6h4lhmz9Rqc4RWgSThaUowZvMPzsKDLkH6q
tc3712lEhZzYL+QgEXMnrq0R3AIVVCSb5l24zzSXcIQAdlmwfnC3A23fwI1RRAH1
0p47WHPYRrlBFt0JvksbdrTzKHR7h3k3eB+jZvINAAIIzLC+46xI3woz6k9gQdg3
97Mv82Y6AJUThhU+fHrPlHk0VMOTdSXJsRJ8C2OklvDpOV00ggPg9EsgJlyshsyf
vPiKVkngmDsA8bmTntdSJCbAsM51JZWhD+UsZE3Uot27TfXMAtcxWLlRM83Gt5gx
cmGwEmFdiRC2hHSomkUBZrgRDh3stq2+Kr/FJdZmGuRZ/Vk=
=pgf1
-----END PGP SIGNATURE-----
Xenproject.org Security Team