-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1432 / XSA-58 version 2 Page reference counting error due to XSA-45/CVE-2013-1918 fixes UPDATES IN VERSION 2 ==================== Public release. Credits section added. ISSUE DESCRIPTION ================= The XSA-45/CVE-2013-1918 patch making error handling paths preemptible broke page reference counting by not retaining a reference on pages stored for deferred cleanup. This would lead to the hypervisor prematurely attempting to free the page, generally crashing upon finding the page still in use. CREDITS ======= Thanks to Andrew Cooper and the Citrix XenServer team for discovering and reporting this vulnerability, and helping investigate it. IMPACT ====== Malicious or buggy PV guest kernels can mount a denial of service attack affecting the whole system. It can't be excluded that this could also be exploited to mount a privilege escalation attack. VULNERABLE SYSTEMS ================== All Xen versions having the XSA-45/CVE-2013-1918 fixes applied are vulnerable. The vulnerability is only exposed by PV guests. MITIGATION ========== Running only HVM guests, or PV guests with trusted kernels, will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa58-4.1.patch Xen 4.1.x xsa58-4.2.patch Xen 4.2.x xsa58-unstable.patch xen-unstable $ sha256sum xsa58*.patch 3623ec87e5a2830f0d41de19a8e448d618954973c3264727a1f3a095f15a8641 xsa58-4.1.patch 194d6610fc38b767d643e5d58a1268f45921fb35e309b47aca6a388b861311c2 xsa58-4.2.patch 2c94b099d7144d03c0f7f44e892a521537fc040d11bc46f84a2438eece46a0f5 xsa58-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRyuoNAAoJEIP+FMlX6CvZY3EH/04uBhD797FdBhCRkq/y1ACc Dvg1BRZ4lHkURDp97gD4Fdyf95Lw4qtniYBq8H/kpVPWJgN7+Dmj8uoluWhOI62Y Q7a97CZ3O39VcuNRQnZG8c6dduGwMTzbJMkftG0CcltygAxVVRU4uHSG4+MHQ5PZ N1xauljWrbw49iZz0shxZv4BA/1MQyuyZGFIpOaYoom0vV67pfrQJ2kgCMDUctmq WXNkVcOiS7lwS/+++goPIboSEy6UJCIVrhZmL7GhbNfiznlOFVgExMttQRcUDi/D 4SS4ghl3IyB34TwoX1P7TPEeHGbfonObGpzBQNduBIJDM32nqO7P8097XG0j0Tw= =aw1s -----END PGP SIGNATURE-----