Information
| Advisory | XSA-107 |
|---|
| Public release | 2014-09-09 12:30 |
|---|
| Updated | 2014-09-11 10:07 |
|---|
| Version | 2 |
|---|
| CVE(s) | CVE-2014-6268 |
|---|
| Title | Mishandling of uninitialised FIFO-based event channel control blocks |
|---|
Files
advisory-107.txt (signed advisory file)
xsa107-4.4.patch
xsa107-unstable.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2014-6268 / XSA-107
version 2
Mishandling of uninitialised FIFO-based event channel control blocks
UPDATES IN VERSION 2
====================
CVE assigned.
ISSUE DESCRIPTION
=================
When using the FIFO-based event channels, there are no checks for the
existence of a control block when binding an event or moving it to a
different VCPU. This is because events may be bound when the ABI is
in 2-level mode (e.g., by the toolstack before the domain is started).
The guest may trigger a Xen crash in evtchn_fifo_set_pending() if:
a) the event is bound to a VCPU without a control block; or
b) VCPU 0 does not have a control block.
In case (a), Xen will crash when looking up the current queue. In
(b), Xen will crash when looking up the old queue (which defaults to a
queue on VCPU 0).
IMPACT
======
A buggy or malicious guest can crash the host.
VULNERABLE SYSTEMS
==================
Xen 4.4 and onward are vulnerable.
MITIGATION
==========
None.
CREDITS
=======
This issue was originally reported by Vitaly Kuznetsov at Red Hat and
diagnosed as a security issue by David Vrabel at Citrix.
NOTE REGARDING LACK OF EMBARGO
==============================
This bug was publicly reported on xen-devel, before it was appreciated
that there was a security problem.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa107-unstable.patch xen-unstable
xsa107-4.4.patch Xen 4.4.x
$ sha256sum xsa107*.patch
b92ba8085b6684abbc8b012ae1a580b9e7ed7c8e67071a9e70381d4c1009638b xsa107-4.4.patch
cd954a5bd742c751f8db884a3f31bd636a8c5850acddf5f1160dd6be1f706a09 xsa107-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJUEXRHAAoJEIP+FMlX6CvZknQIAIzPCOwG07XrKR7yu00lhCin
TSppBKJ3y7XkIdmBF/3QSnev61yJ4MYdpWl7qiK4xpDP3IyH0mrtIYBQVwxKCV/R
l/E2ztiEMugq86eCwvX5p/fAoyfqf1pBoVplqwcarS4vcmnnkOpK278TD2dPdw69
G5VaFxOqVo4Z6xQyFIGHtinN00tbb/lVQTpldah7ZfqXknPAcSeZqEBuqmVSLGIo
o9EgTAQm1wbh4tNn+O2KHeAbejjOTM7NYoidRqQY3qfN4m13MdAKliUbXIRdGggQ
aMKU2n7eNga4Aly720cD6hkJAOKxG/dGUb8lm1qHsG01VjhP2zqGn41tkqsiSAs=
=cld0
-----END PGP SIGNATURE-----
Xenproject.org Security Team