Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1USqZL-0005h1-D2@xenbits.xen.org>
Date: Thu, 18 Apr 2013 15:16:15 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 50 (CVE-2013-1964) - grant table hypercall
 acquire/release imbalance

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2013-1964 / XSA-50

            grant table hypercall acquire/release imbalance

ISSUE DESCRIPTION
=================

When releasing a non-v1 non-transitive grant after doing a grant copy
operation, Xen incorrectly recurses (as if for a transitive grant) and
releases an unrelated grant reference.

IMPACT
======

A malicious guest administrator can cause undefined behaviour;
depending on the dom0 kernel a host crash is possible, but information
leakage or privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS
==================

Xen 4.0 and 4.1 are vulnerable.  Any kind of guest can trigger the
vulnerability.

Xen 4.2 and xen-unstable, as well as Xen 3.x and earlier, are not
vulnerable.

MITIGATION
==========

Using only trustworthy guest kernels will avoid the vulnerability.

Using a debug build of Xen will eliminate the possible information
leak or privilege violation; instead, if the vulnerability is
attacked, Xen will crash.

NOTE REGARDING EMBARGO
======================

A crash resulting from this bug has been reported by a user on the
public xen-devel mailing list.  There is therefore no embargo.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa50-4.1.patch

$ sha256sum xsa50-*.patch
29f76073311a372dd30dd4788447850465d2575d5ff7b2c10912a69e4941fb21  xsa50-4.1.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRcA4pAAoJEIP+FMlX6CvZHhsIAK2RYhWr4CQ2ziTh3o1cbkXe
HfDcWHjLTe1+zoULCKbptUHcoH6/oPxwZBklAfNSECFT47a4FKZu/ARCP1IBtot2
o6cuTTlYgLMMpSfVW//aDJQ59YivhcwN5omLEp4G8N/YHw0IA1W58/IpNKXVbNNy
pmMEqus/QUH8EzGaxLfwIfSrJR96x96QKOlG94lohY5P5aipx/5vXzUPyRFXLbOZ
jr8Ve+woNuYAeBx3zue7TNfhePVuDUl8b7ufhsuYdwkODzEXCNLcJM93Z3eaKfPp
CVDBE38GUO9hr5CpBh5QgGeCCeMhxwI8jXTXUb6N8KFrwgbq04HP7BOmVI4O8Xs=
=jiz6
-----END PGP SIGNATURE-----

Download attachment "xsa50-4.1.patch" of type "application/octet-stream" (6789 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.