Information

Files

Advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2012-3498 / XSA-16
                             version 3

               PHYSDEVOP_map_pirq index vulnerability

UPDATES IN VERSION 3
====================

Public release.  Credit Matthew Daley.

Update version tag format.

ISSUE DESCRIPTION
=================

PHYSDEVOP_map_pirq with MAP_PIRQ_TYPE_GSI does not range check
map->index.

IMPACT
======

A malicious HVM guest kernel can crash the host.  It might also be
able to read hypervisor or guest memory.

VULNERABLE SYSTEMS
==================

All Xen systems running HVM guests.  PV guests are not vulnerable.

The vulnerability dates back to Xen 4.1.  Xen 4.0 is not vulnerable.
4.1, the 4.2 RCs, and xen-unstable.hg are vulnerable.

MITIGATION
==========

This issue can be mitigated by ensuring that the guest kernel is
trustworthy, or by running only PV guests.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

CREDIT
======

Thanks to Matthew Daley for finding this vulnerability (and that in
XSA-12) and notifying the Xen.org security team.

PATCH INFORMATION
=================

The attached patches resolve this issue

xsa16-unstable.patch  xen-unstable
xsa16-xen-4.1.patch   Xen 4.1.x

$ sha256sum xsa16-*.patch
f8db42898620112c8e77bf116645d650b3671d4ccc49adcad09c7b4591d55cab  xsa16-unstable.patch
4b76d554b23977443209e45d3a2404d63695eb3020ff87a8e16e5e25cbddff31  xsa16-xen-4.1.patch
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+UMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZn6QH/36dZQ6Ac/GHpabzBeMufFZTUahlMwl+xa70/CkW
VO88e6hk4am+wROzfRpkqpcSP1byj/KuhPrUtAbP41J7Ied15C38G/LyhsKo5Zwq
H+6SE3uYr6FpW0cGW/NCfl7MWbMQUMt+4+Iu5OHGi1KCEBEGKB2hASYtHHJoZYmH
j1P46ujMIidDqm9uXIOISsSLogMUdraRAk5ZgETIdYlNAfwCEh6h0w7cy/BcnxCk
CjjpFrTtljf9ZM3RZDt6PjMT0N4ybXzvDmtRsPB/oD5bg2gt22GTpwncmphbjIeM
OAUCGbIOp8JfLffVB6I6P60AFC+0cYypbFwpZ/11zE/DEmM=
=zBlI
-----END PGP SIGNATURE-----