Information

AdvisoryXSA-26
Public release 2012-12-03 17:51
Updated 2012-12-03 17:51
Version 3
CVE(s) CVE-2012-5510
Title Grant table version switch list corruption vulnerability

Files

advisory-26.txt (signed advisory file)
xsa26-4.1.patch
xsa26-4.2.patch
xsa26-unstable.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2012-5510 / XSA-26
                             version 3

       Grant table version switch list corruption vulnerability

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Downgrading the grant table version of a guest involves freeing its
status pages. This freeing was incomplete - the page(s) are freed back
to the allocator, but not removed from the domain's tracking
list. This would cause list corruption, eventually leading to a
hypervisor crash.

IMPACT
======

A malicious guest administrator can cause Xen to crash, leading to a
denial of service attack.

VULNERABLE SYSTEMS
==================

All Xen version from 4.0 on are vulnerable.

Version 3.4 and earlier are not vulnerable.

MITIGATION
==========

Running only guests with trusted kernels will avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa26-4.1.patch             Xen 4.1.x
xsa26-4.2.patch             Xen 4.2.x
xsa26-unstable.patch        xen-unstable


$ sha256sum xsa26*.patch
b4674ddaf9a9786d5e7e5e4f248f6095e118184df581036e0531b5db5e1d645b  xsa26-4.1.patch
a6e2ed7bae3e62d4294fdb48e8a5418b1de8e0e690f4fea4bb430d2b7cf758e6  xsa26-4.2.patch
ac2d5a82f0dba0f4213607a0e3bb9be586d90173bbadc4b402c2f19fbe4b2cf3  xsa26-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQvOJ1AAoJEIP+FMlX6CvZBHIH/jI42gGLsThzGlgkFg2aqE74
EUKIPZE4DLQNl6oTQ/fp0dfJgsQ8XHldovl4EphWK+oO0osloE2HjAY5mesOraui
IIQHRkbosbDshDcSqFDndl+xjAEk1ohlGMMpSdUImIHdFF8ZJneXdK11cqxMtCKR
27ych3lDViqy0OqxFGRZpsBE0hHqU7aiL8Orr+tI4sANnd/qVfZcdqizoTRuAJX3
KOmaq+8VwoRSeppAvVgcnGkDLyCd5udRLNEenjrFo1YkC01bVIdbD59/ZwEIC6eZ
iR7bvppV1nuq9WnbCkx+FVkNc9AuGwUZMOdePH2PwLYqIZGMBi9uqUD3Y0HHMoo=
=OtT0
-----END PGP SIGNATURE-----


Xenproject.org Security Team