Information

AdvisoryXSA-29
Public release 2012-12-03 17:51
Updated 2012-12-03 17:51
Version 3
CVE(s) CVE-2012-5513
Title XENMEM_exchange may overwrite hypervisor memory

Files

advisory-29.txt (signed advisory file)
xsa29-4.1.patch
xsa29-4.2-unstable.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2012-5513 / XSA-29
                             version 3

           XENMEM_exchange may overwrite hypervisor memory

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The handler for XENMEM_exchange accesses guest memory without range checking
the guest provided addresses, thus allowing these accesses to include the
hypervisor reserved range.

IMPACT
======

A malicious guest administrator can cause Xen to crash.  If the out of address
space bounds access does not lead to a crash, a carefully crafted privilege
escalation cannot be excluded, even though the guest doesn't itself control
the values written.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

The vulnerability is only exposed to PV guests.

MITIGATION
==========

Running only HVM guests, or ensuring that PV guests only use trusted kernels,
will avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa29-4.1.patch             Xen 4.1.x
xsa29-4.2-unstable.patch    Xen 4.2.x, xen-unstable


$ sha256sum xsa29*.patch
7246a5534bc1e6a47bb6a860f6eb61c8353ad8b46209310783e823b4f7e2eae8  xsa29-4.1.patch
54dcd3ac5c84903bfb04f8591107a74c27b079815f2c6843212e05f776873c73  xsa29-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQvOJ3AAoJEIP+FMlX6CvZ7u8IAM01+jNn5fwdGmoo/LIdH885
nWr5aSc+qMqVuSvla0KKh1SOLFaVWFgovLN1Sfu2hAxLgrK3HxN86RqHU/vLo0k0
KTFM+9xQlxhJNQzyQSiDryH/qSrHTQI6ERxUEYgfjtTieK8y30SZqkd6jBmwoir/
nAMMP8oFmVevM2WfYEWjNNsWPaiUlUYP13qxiWGPcGzhcNNKRwcmrIY4N+F6kHID
Ipl4l5vhoeSaQ0fKkcJKHa+3QGd+706jHZ5VTCwPdWBCnBJLFuMWbc2UlyIg2EB9
N+3Olwf3jCF0zIzBJkomA+FAg+D7kw31DCjc+y1PdGIyuoMkk+JRwYFVkZcKLi4=
=pD8C
-----END PGP SIGNATURE-----


Xenproject.org Security Team