Information
| Advisory | XSA-13 |
|---|
| Public release | 2012-09-05 08:13 |
|---|
| Updated | 2012-09-05 08:13 |
|---|
| Version | 3 |
|---|
| CVE(s) | CVE-2012-3495 |
|---|
| Title | hypercall physdev_get_free_pirq vulnerability |
|---|
Files
advisory-13.txt (signed advisory file)
xsa13-xen-4.1.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2012-3495 / XSA-13
version 3
hypercall physdev_get_free_pirq vulnerability
UPDATES IN VERSION 3
====================
Public release. Credit Matthew Daley.
Update version tag format.
ISSUE DESCRIPTION
=================
PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq
succeeded, and if it fails will use the error code as an array index.
IMPACT
======
A malicious guest might be able to cause the host to crash, leading to
a DoS, depending on the exact memory layout. Privilege escalation is
a theoretical possibility which cannot be ruled out, but is considered
unlikely.
VULNERABLE SYSTEMS
==================
All Xen systems.
Xen 4.1 is vulnerable. Other versions of Xen are not vulnerable.
MITIGATION
==========
This issue can be mitigated by ensuring (inside the guest) that the
kernel is trustworthy and avoiding situations where something might
repeatedly cause the attempted allocation of a physical irq.
RESOLUTION
==========
Applying the appropriate attached patch will resolve the issue.
CREDIT
======
Thanks to Matthew Daley for finding this vulnerability (and that in
XSA-12) and notifying the Xen.org security team.
PATCH INFORMATION
=================
The attached patches resolve this issue
xsa13-xen-4.1.patch Xen 4.1, 4.1.x
$ sha256sum xsa13-*.patch
ad6e3e40ff56c7c25a94d8d9763d4b49f07802b90b4362ddbe4c86bf285c1239 xsa13-xen-4.1.patch
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+QMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZt8cH/jW05VY1/Nr5+PEH+Fj/CJtvCRmDX56VqFWKD3+2
xeP5yFgOXh+av12MhWiDZ9HjRj6ARHBgOlZ1uPO/RIEMKYfrW2zOSPvdfkJ5+2IB
ZyaWr6kyWu5vRC2f7s97R36x3H/lyr3bNZ8fiYAAlmkQlU7urpeO+Q9nrh6xOBdw
jIDtnDN6Rau04QCmVO1l9iYY70DS02SCNHx2sYUBSWU+IKqN40WMwJ0chy0f2oNz
U/epyRK4DP/+aT2NwAV8FPcE2RuaY+a9pEMVb62yJkOv8uZ7x5hUYz6ASfE7o2+p
xxL9SukF5Vbddgy0EXA4oVqHEws5ArXCpr0BNqcaN0c3xOo=
=M7Uy
-----END PGP SIGNATURE-----
Xenproject.org Security Team