Information

Advisory XSA-28
Public release 2012-12-03 17:51
Updated 2012-12-03 17:51
Version 3
CVE(s) CVE-2012-5512
Title HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak

Files

advisory-28.txt (signed advisory file)
xsa28-4.1.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2012-5512 / XSA-28
                             version 3

  HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The HVMOP_set_mem_access operation handler uses an input as an array index
before range checking it.

IMPACT
======

A malicious guest administrator can cause Xen to crash.  If the out of array
bounds access does not crash, the arbitrary value read will be used if the
caller reads back the default access through the HVMOP_get_mem_access
operation, thus causing an information leak. The caller cannot, however,
directly control the address from which to read, since the value read in the
first step will be used as an array index again in the second step.

VULNERABLE SYSTEMS
==================

Only Xen version 4.1 is vulnerable.

The vulnerability is only exposed to HVM guests.

MITIGATION
==========

Running only PV guests, or ensuring that the controlling domain of HVM
guests (e.g. dom0 or stubdom) only uses trusted code, will avoid this
vulnerability.

RESOLUTION
==========

The attached patch resolves this issue.


$ sha256sum xsa28*.patch
6282314c4ea0d76ac55473e5fc7d863e045c9f566899eb93c60e5d22f38e8319  xsa28-4.1.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQvOJ2AAoJEIP+FMlX6CvZDfEH/jKbLcOY6taduyPubvWjLqUj
5moVGJMcdTUnjEOe4TH6zcax4Ce98J5BptHjCkeIIm4A70bcdfFR7Kb8i1Pr1ZA6
jpo/fbDtn4+YVAJrMlZWhPspJU2lZSSYc+Tu3eVrX78OX4RZ/Ubb+KRGhaSkRn/a
r14VFvNBwhSmOXFXqFI0IiCRJBctyLOxF32P3lZB3PXUepxsezjrUeYKKZ6qGkSX
kdufkWYgZV4iKpb8WEwDOdWbs/hE7ru6vHCEE798T8I7BscQF+O8B+2ewVK/iCoo
AgjGkqWsKhc119lSjdud8LP3A4cXWhhuHSOlmIc+gNz91IsvG3DErzQizc0wtLk=
=GkYq
-----END PGP SIGNATURE-----

Xenproject.org Security Team