Information

AdvisoryXSA-32
Public release 2012-12-03 17:51
Updated 2012-12-03 17:51
Version 4
CVE(s) CVE-2012-5525
Title several hypercalls do not validate input GFNs

Files

advisory-32.txt (signed advisory file)
xsa32-4.2.patch
xsa32-unstable.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2012-5525 / XSA-32
			      version 4

	     several hypercalls do not validate input GFNs

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

The function get_page_from_gfn does not validate its input GFN. An
invalid GFN passed to a hypercall which uses this function will cause
the hypervisor to read off the end of the frame table and potentially
crash.

IMPACT
======

A malicious guest administrator of a PV guest can cause Xen to crash.
If the out of bounds access does not lead to a crash, a carefully
crafted privilege escalation cannot be excluded, even though the guest
doesn't itself control the values written.

VULNERABLE SYSTEMS
==================

Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are
not vulnerable.

The vulnerability is exposed only to PV guests.

MITIGATION
==========

Running only trusted PV guest kernels will avoid this vulnerability.

Running only HVM guests will avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa32-4.2.patch             Xen 4.2.x, xen-unstable
xsa32-unstable.patch        xen-unstable


$ sha256sum xsa32*.patch
ad25c9298b543ef7af40e9f09cae232d36efc1932804678355ab724a19e3afd9  xsa32-4.2.patch
734cff82a93f032165ef26633acb30a499cc063141c2b16fccb294703718fcb0  xsa32-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQvOWxAAoJEIP+FMlX6CvZ9uUH/RM5PGHxWTuFv11kAEJAaQK7
m3dB9GZvjRo/zcRTrSQX2JCumM8rwXffNR9oUHQkC3WxRPjyNRdsiI02sSRLSDAh
q2tsalK1PpFNX2DRrOezWrkBA2zR7pnGe3sCzgO3sGGpqMMoG5+u6/IcZHu86LGm
zk+e0hMHtuurz6+uB0w8TJoLge4XSTw0K3ck70vCL4ysKmyOcEWcAgDmNA+OwnQ8
duw4UGkXLrxCF1X7RbAh31lUWPSLxPvxsytja+78/9ggpQRxZkF5x6T4oABcZ7jg
vjzYkNN3MdN41RIbmZps1SECLm/SKoOvsBxfOJArf0DYgVmJloxZrLK4TyquCDk=
=oEp3
-----END PGP SIGNATURE-----


Xenproject.org Security Team