-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2012-3496 / XSA-14 version 3 XENMEM_populate_physmap DoS vulnerability UPDATES IN VERSION 3 ==================== Public release. Credit Matthew Daley. Update version tag format. ISSUE DESCRIPTION ================= XENMEM_populate_physmap can be called with invalid flags. By calling it with MEMF_populate_on_demand flag set, a BUG can be triggered if a translating paging mode is not being used. IMPACT ====== A malicious guest kernel can crash the host. VULNERABLE SYSTEMS ================== All Xen systems running PV guests. Systems running only HVM guests are not vulnerable. The vulnerability dates back to at least Xen 4.0. 4.0, 4.1, the 4.2 RCs, and xen-unstable.hg are all vulnerable. MITIGATION ========== This issue can be mitigated by ensuring that the guest kernel is trustworthy or by running only HVM guests. RESOLUTION ========== Applying the appropriate attached patch will resolve the issue. CREDIT ====== Thanks to Matthew Daley for finding this vulnerability (and that in XSA-12) and notifying the Xen.org security team. PATCH INFORMATION ================= The attached patches resolve this issue xsa14-unstable.patch xen-unstable xsa14-xen-3.4-and-4.x.patch Xen 4.1.x, 4.0.x, 3.4.x $ sha256sum xsa14-*.patch 7a2e119b114708420c3484ecc338c7a198097f40e0d38854756dfa69c4c859a8 xsa14-unstable.patch 41a1ee1da7e990dc93b75fad0d46b66a2bda472e9aa288c91d1dc5d15d2c2012 xsa14-xen-3.4-and-4.x.patch -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+UMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZgOIH/1P0AQrtlEt5GPYt66NdX3IirTaiH1rSE+krFfK2 HeT5GdRUgJ3CmcA416iPebmqjSIi5JD/EBsIwXgG9CYcKB844l4/LVIyPorvvecl CyopuTyplcE3gJG1PVCUwkAzumUW1q+RDA/txq6KRhnYfrbSmRb8+kIaSAirV0qi jWPtq2EWfWAWcKV6s/NPd1hqR2BxeWnt1MK9hFQfcnkYqdQKx5E0CYYMAKjcadNF uS+/WlPj6OLMENa1puRwTcrBR5r27JY13wmIdZ/8RBb11McO+9Lnd6S0KVlvnqLY HPzTytp25uO767yhrmEQ18AGprnczwpWLKRaXLLbSoCMnCU= =W9IF -----END PGP SIGNATURE-----