-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2012-3495 / XSA-13
                             version 3

           hypercall physdev_get_free_pirq vulnerability

UPDATES IN VERSION 3
====================

Public release.  Credit Matthew Daley.

Update version tag format.

ISSUE DESCRIPTION
=================

PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq
succeeded, and if it fails will use the error code as an array index.

IMPACT
======

A malicious guest might be able to cause the host to crash, leading to
a DoS, depending on the exact memory layout.  Privilege escalation is
a theoretical possibility which cannot be ruled out, but is considered
unlikely.

VULNERABLE SYSTEMS
==================

All Xen systems.

Xen 4.1 is vulnerable.  Other versions of Xen are not vulnerable.

MITIGATION
==========

This issue can be mitigated by ensuring (inside the guest) that the
kernel is trustworthy and avoiding situations where something might
repeatedly cause the attempted allocation of a physical irq.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

CREDIT
======

Thanks to Matthew Daley for finding this vulnerability (and that in
XSA-12) and notifying the Xen.org security team.

PATCH INFORMATION
=================

The attached patches resolve this issue

xsa13-xen-4.1.patch  Xen 4.1, 4.1.x

$ sha256sum xsa13-*.patch
ad6e3e40ff56c7c25a94d8d9763d4b49f07802b90b4362ddbe4c86bf285c1239  xsa13-xen-4.1.patch
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+QMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZt8cH/jW05VY1/Nr5+PEH+Fj/CJtvCRmDX56VqFWKD3+2
xeP5yFgOXh+av12MhWiDZ9HjRj6ARHBgOlZ1uPO/RIEMKYfrW2zOSPvdfkJ5+2IB
ZyaWr6kyWu5vRC2f7s97R36x3H/lyr3bNZ8fiYAAlmkQlU7urpeO+Q9nrh6xOBdw
jIDtnDN6Rau04QCmVO1l9iYY70DS02SCNHx2sYUBSWU+IKqN40WMwJ0chy0f2oNz
U/epyRK4DP/+aT2NwAV8FPcE2RuaY+a9pEMVb62yJkOv8uZ7x5hUYz6ASfE7o2+p
xxL9SukF5Vbddgy0EXA4oVqHEws5ArXCpr0BNqcaN0c3xOo=
=M7Uy
-----END PGP SIGNATURE-----