-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5513 / XSA-29 version 3 XENMEM_exchange may overwrite hypervisor memory UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The handler for XENMEM_exchange accesses guest memory without range checking the guest provided addresses, thus allowing these accesses to include the hypervisor reserved range. IMPACT ====== A malicious guest administrator can cause Xen to crash. If the out of address space bounds access does not lead to a crash, a carefully crafted privilege escalation cannot be excluded, even though the guest doesn't itself control the values written. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable. The vulnerability is only exposed to PV guests. MITIGATION ========== Running only HVM guests, or ensuring that PV guests only use trusted kernels, will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa29-4.1.patch Xen 4.1.x xsa29-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa29*.patch 7246a5534bc1e6a47bb6a860f6eb61c8353ad8b46209310783e823b4f7e2eae8 xsa29-4.1.patch 54dcd3ac5c84903bfb04f8591107a74c27b079815f2c6843212e05f776873c73 xsa29-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ3AAoJEIP+FMlX6CvZ7u8IAM01+jNn5fwdGmoo/LIdH885 nWr5aSc+qMqVuSvla0KKh1SOLFaVWFgovLN1Sfu2hAxLgrK3HxN86RqHU/vLo0k0 KTFM+9xQlxhJNQzyQSiDryH/qSrHTQI6ERxUEYgfjtTieK8y30SZqkd6jBmwoir/ nAMMP8oFmVevM2WfYEWjNNsWPaiUlUYP13qxiWGPcGzhcNNKRwcmrIY4N+F6kHID Ipl4l5vhoeSaQ0fKkcJKHa+3QGd+706jHZ5VTCwPdWBCnBJLFuMWbc2UlyIg2EB9 N+3Olwf3jCF0zIzBJkomA+FAg+D7kw31DCjc+y1PdGIyuoMkk+JRwYFVkZcKLi4= =pD8C -----END PGP SIGNATURE-----