Information
| Advisory | XSA-4 |
|---|
| Public release | 2011-09-02 09:18 |
|---|
| Updated | 2011-09-02 09:18 |
|---|
| Version | 1 |
|---|
| CVE(s) | CVE-2011-2901 |
|---|
| Title | Xen <= 3.3 DoS due to incorrect virtual address validation |
|---|
Files
advisory-4.txt (signed advisory file)
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2011-2901 / XSA-4
Xen <= 3.3 DoS due to incorrect virtual address validation
ISSUE DESCRIPTION
=================
The x86_64 __addr_ok() macro intends to ensure that the checked
address is either in the positive half of the 48-bit virtual address
space, or above the Xen-reserved area. However, the current shift
count is off-by-one, allowing full access to the "negative half" too,
via certain hypercalls which ignore virtual-address bits [63:48].
Vulnerable hypercalls exist only in very old versions of the
hypervisor.
VULNERABLE SYSTEMS
==================
All systems running a Xen 3.3 or earlier hypervisor with 64-bit PV
guests with untrusted administrators are vulnerable.
IMPACT
======
A malicious guest administrator on a vulnerable system is able to
crash the host.
There are no known further exploits but these have not been ruled out.
RESOLUTION
==========
The attached patch resolves the issue.
Alternatively, users may choose to upgrade to a more recent hypervisor
PATCHES
=======
The following patch resolves this issue.
Filename: fix-__addr_ok-limit.patch
SHA1: f18bde8d276110451c608a16f577865aa1226b4f
SHA256: 2da5aac72e1ac4849c34d38374ae456795905fd9512eef94b48fc31383c21636
This patch should apply cleanly, and fix the problem, for all affected
versions of Xen.
It is harmless when applied to later hypervisors and will be included
in the Xen unstable branch in due course.
VERSION HISTORY
===============
Analysis following version 1 of this advisory (sent out to the
predisclosure list during the embargo period) indicates that the
actual DoS vulnerability only exists in very old hypervisors, Xen 3.3
and earlier, contrary to previous reports.
This advisory is no longer embargoed.
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnLmakMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZSsUH/3Tymp4V+GfSeEji6SMT5FQlV5QBR27TRLuvZ4TW
p7nRuvzuhMCXZ3PWSSA2Z2DQiU5BNy8F9uZQr19yRjK/dOPeOGNsVcTaTbjoWdkk
VE8FwttNV/fXSqV4sZhulGY8aTTass4lRsuXKkqtxzDwjya9dan8UY7y6brhk56c
1dtyqCyu1jDX96aPiQSjL4ujFqFpfPd6fNg/frDwyfyWHOQcLKQQD+/Ac52XMf4Z
wrktADzrZUdnclHuZkVGHsSQ8TBAxeanC6iGO23wDgnCZtWddIFbJjQ7dC4V347C
FukIpiGkAsqRiBvCkgHPLVxCe6m+4vP223p2VXB2uMdi+FA=
=7KlX
-----END PGP SIGNATURE-----
Xenproject.org Security Team