-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2012-3516 / XSA-18
                           version 2

       grant table entry swaps have inadequate bounds checking

UPDATES IN VERSION 2
====================

Public release.

Update version tag format.

ISSUE DESCRIPTION
=================

The grant table hypercall's GNTTABOP_swap_grant_ref sub-operation does
not perform adequate checks on the input grant references.

IMPACT
======

A malicious guest kernel or administrator can crash the host.

It may be possible for an attacker to swap a valid grant reference,
which they control, with an invalid one allowing them to write
abitrary values to hypervisor memory. This could potentially lead to a
privilege escalation.

VULNERABLE SYSTEMS
==================

Xen-unstable, including Xen 4.2 release candidates are vulnerable to
this issue.

Xen 4.1 and earlier do not include this hypercall and are therefore
not vulnerable.

MITIGATION
==========

The only mitigation is not to run guests which have untrusted
administrators.

RESOLUTION
==========

Applying the attached patch will resolve the issue.

PATCH INFORMATION
=================

The attached patch resolves this issue

xsa18-unstable.patch  xen-unstable

$ sha256sum xsa18-unstable.patch
ad354a1964fc52b0e48d405514156935cc8dfcb5bdaee307e3e74afcc0ca8914  xsa18-unstable.patch
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+YMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZYmMIAJKkHdAyPG1XRJ1Av+F2Dw3+x+dAil262paxsgcW
K2aisQoBXv0s/YztDKKlEeTJuRWEblm1Q7BzLzXKzgb60drXgvKm19r9lpK68qzq
TSm+LhNzIZs02f5Ks3fDgSOWJ+dPFxQeGrS2lT+gC1E6hVtAJF8npUU8lxsIl3qy
CcSnjYC4fuRDf9kyz/xHTLGvqQi4kSz9ta7XjB2kYZ0S/OF7kTA+oCZvn48HVLu2
ccvue175VJIyRXwTGCY2mfZKOHmUBTZDtyl5RhCkK1r6xxmDpwAR4uveMzYUf2xU
IRz+tb7mtCiSVPhEBjtlmBLU20bELqKMZWbjJA5B3gtY/F4=
=D2TS
-----END PGP SIGNATURE-----