Information
| Advisory | XSA-14 |
|---|
| Public release | 2012-09-05 08:38 |
|---|
| Updated | 2012-09-05 08:38 |
|---|
| Version | 3 |
|---|
| CVE(s) | CVE-2012-3496 |
|---|
| Title | XENMEM_populate_physmap DoS vulnerability |
|---|
Files
advisory-14.txt (signed advisory file)
xsa14-unstable.patch
xsa14-xen-3.4-and-4.x.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2012-3496 / XSA-14
version 3
XENMEM_populate_physmap DoS vulnerability
UPDATES IN VERSION 3
====================
Public release. Credit Matthew Daley.
Update version tag format.
ISSUE DESCRIPTION
=================
XENMEM_populate_physmap can be called with invalid flags. By calling
it with MEMF_populate_on_demand flag set, a BUG can be triggered if a
translating paging mode is not being used.
IMPACT
======
A malicious guest kernel can crash the host.
VULNERABLE SYSTEMS
==================
All Xen systems running PV guests. Systems running only HVM guests
are not vulnerable.
The vulnerability dates back to at least Xen 4.0. 4.0, 4.1, the 4.2
RCs, and xen-unstable.hg are all vulnerable.
MITIGATION
==========
This issue can be mitigated by ensuring that the guest kernel is
trustworthy or by running only HVM guests.
RESOLUTION
==========
Applying the appropriate attached patch will resolve the issue.
CREDIT
======
Thanks to Matthew Daley for finding this vulnerability (and that in
XSA-12) and notifying the Xen.org security team.
PATCH INFORMATION
=================
The attached patches resolve this issue
xsa14-unstable.patch xen-unstable
xsa14-xen-3.4-and-4.x.patch Xen 4.1.x, 4.0.x, 3.4.x
$ sha256sum xsa14-*.patch
7a2e119b114708420c3484ecc338c7a198097f40e0d38854756dfa69c4c859a8 xsa14-unstable.patch
41a1ee1da7e990dc93b75fad0d46b66a2bda472e9aa288c91d1dc5d15d2c2012 xsa14-xen-3.4-and-4.x.patch
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+UMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZgOIH/1P0AQrtlEt5GPYt66NdX3IirTaiH1rSE+krFfK2
HeT5GdRUgJ3CmcA416iPebmqjSIi5JD/EBsIwXgG9CYcKB844l4/LVIyPorvvecl
CyopuTyplcE3gJG1PVCUwkAzumUW1q+RDA/txq6KRhnYfrbSmRb8+kIaSAirV0qi
jWPtq2EWfWAWcKV6s/NPd1hqR2BxeWnt1MK9hFQfcnkYqdQKx5E0CYYMAKjcadNF
uS+/WlPj6OLMENa1puRwTcrBR5r27JY13wmIdZ/8RBb11McO+9Lnd6S0KVlvnqLY
HPzTytp25uO767yhrmEQ18AGprnczwpWLKRaXLLbSoCMnCU=
=W9IF
-----END PGP SIGNATURE-----
Xenproject.org Security Team