Project

General

Profile

Bug #1557

[v2.6] Multiple vulnerabilities in Xen 4.1/4.2 allow remote denial of service

Added by Leonardo Arena over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
High
Assignee:
-
Category:
Security
Target version:
Start date:
01/17/2013
Due date:
% Done:

0%

Estimated time:
Affected versions:
Security IDs:

Description

I'm reporting here a several Xen SAs. They are just too many to be reported one by one, and I'm not sure if they have been fixed yet or not. I could not find any reference to CVEs or XSA numbers in the commit messages.

Thanks!

cVE-2012-4535 (XSA 20): Timer overflow DoS vulnerability

A guest which sets a VCPU with an inappropriate deadline can cause an
infinite loop in Xen, blocking the affected physical CPU indefinitely.

CVE-2012-4537 (XSA 22): Memory mapping failure DoS vulnerability

When set_p2m_entry fails, Xen's internal data structures (the p2m and m2p
tables) can get out of sync. This failure can be triggered by unusual guest
behaviour exhausting the memory reserved for the p2m table. If it happens,
subsequent guest-invoked memory operations can cause Xen to fail an assertion
and crash.

CVE-2012-4538 (XSA 23): Unhooking empty PAE entries DoS vulnerability

The HVMOP_pagetable_dying hypercall does not correctly check the
caller's pagetable state, leading to a hypervisor crash.

CVE-2012-4539 (XSA 24): Grant table hypercall infinite loop DoS vulnerability

Due to inappropriate duplicate use of the same loop control variable,
passing bad arguments to GNTTABOP_get_status_frames can cause an
infinite loop in the compat hypercall handler.

CVE-2012-5510 (XSA 26): Grant table version switch list corruption vulnerability

Downgrading the grant table version of a guest involves freeing its status
pages. This freeing was incomplete - the page(s) are freed back to the
allocator, but not removed from the domain's tracking list. This would cause
list corruption, eventually leading to a hypervisor crash.

CVE-2012-5513 (XSA 29): XENMEM_exchange may overwrite hypervisor memory

The handler for XENMEM_exchange accesses guest memory without range checking
the guest provided addresses, thus allowing these accesses to include the
hypervisor reserved range.
.
A malicious guest administrator can cause Xen to crash. If the out of address
space bounds access does not lead to a crash, a carefully crafted privilege
escalation cannot be excluded, even though the guest doesn't itself control
the values written.

History

#1 Updated by Natanael Copa over 6 years ago

  • Status changed from New to Closed

fixed with:
commit 119185999980a6a6a78506a6b49e1a70ab55ad03
Author: Roger Pau Monne <>
Date: Tue Dec 18 10:51:49 2012 +0100

xen: update to 4.2.1
Excerpt from release notes:
This fixes the following critical vulnerabilities:
     * CVE-2012-4535 / XSA-20:
Timer overflow DoS vulnerability * CVE-2012-4537 / XSA-22:
Memory mapping failure DoS vulnerability * CVE-2012-4538 / XSA-23:
Unhooking empty PAE entries DoS vulnerability * CVE-2012-4539 / XSA-24:
Grant table hypercall infinite loop DoS vulnerability * CVE-2012-4544,CVE-2012-2625 / XSA-25:
Xen domain builder Out-of-memory due to malicious kernel/ramdisk * CVE-2012-5510 / XSA-26:
Grant table version switch list corruption vulnerability * CVE-2012-5511 / XSA-27:
several HVM operations do not validate the range of their inputs * CVE-2012-5513 / XSA-29:
XENMEM_exchange may overwrite hypervisor memory * CVE-2012-5514 / XSA-30:
Broken error handling in guest_physmap_mark_populate_on_demand() * CVE-2012-5515 / XSA-31:
Several memory hypercall operations allow invalid extent order
values * CVE-2012-5525 / XSA-32:
several hypercalls do not validate input GFNs
We recommend all users of the 4.2.0 code base to update to this
point release.
commit 119185999980a6a6a78506a6b49e1a70ab55ad03
Author: Roger Pau Monne &lt;&gt;
Date: Tue Dec 18 10:51:49 2012 +0100
xen: update to 4.2.1
Excerpt from release notes:
This fixes the following critical vulnerabilities:
     * CVE-2012-4535 / XSA-20:
Timer overflow DoS vulnerability * CVE-2012-4537 / XSA-22:
Memory mapping failure DoS vulnerability * CVE-2012-4538 / XSA-23:
Unhooking empty PAE entries DoS vulnerability * CVE-2012-4539 / XSA-24:
Grant table hypercall infinite loop DoS vulnerability * CVE-2012-4544,CVE-2012-2625 / XSA-25:
Xen domain builder Out-of-memory due to malicious kernel/ramdisk * CVE-2012-5510 / XSA-26:
Grant table version switch list corruption vulnerability * CVE-2012-5511 / XSA-27:
several HVM operations do not validate the range of their inputs * CVE-2012-5513 / XSA-29:
XENMEM_exchange may overwrite hypervisor memory * CVE-2012-5514 / XSA-30:
Broken error handling in guest_physmap_mark_populate_on_demand() * CVE-2012-5515 / XSA-31:
Several memory hypercall operations allow invalid extent order
valuescommit 119185999980a6a6a78506a6b49e1a70ab55ad03
Author: Roger Pau Monne &lt;&gt;
Date: Tue Dec 18 10:51:49 2012 +0100
xen: update to 4.2.1
Excerpt from release notes:
This fixes the following critical vulnerabilities:
     * CVE-2012-4535 / XSA-20:
Timer overflow DoS vulnerability * CVE-2012-4537 / XSA-22:
Memory mapping failure DoS vulnerability * CVE-2012-4538 / XSA-23:
Unhooking empty PAE entries DoS vulnerability * CVE-2012-4539 / XSA-24:
Grant table hypercall infinite loop DoS vulnerability * CVE-2012-4544,CVE-2012-2625 / XSA-25:
Xen domain builder Out-of-memory due to malicious kernel/ramdisk * CVE-2012-5510 / XSA-26:
Grant table version switch list corruption vulnerability * CVE-2012-5511 / XSA-27:
several HVM operations do not validate the range of their inputs * CVE-2012-5513 / XSA-29:
XENMEM_exchange may overwrite hypervisor memory * CVE-2012-5514 / XSA-30:
Broken error handling in guest_physmap_mark_populate_on_demand() * CVE-2012-5515 / XSA-31:
Several memory hypercall operations allow invalid extent order
values * CVE-2012-5525 / XSA-32:
several hypercalls do not validate input GFNs
We recommend all users of the 4.2.0 code base to update to this
point release.
Among many bug fixes and improvements (around 100 since Xen 4.2.0):
     * A fix for a long standing time management issue
     * Bug fixes for S3 (suspend to RAM) handling
     * Bug fixes for other low level system state handling
     * Bug fixes and improvements to the libxl tool stack
     * Bug fixes to nested virtualization
  • CVE-2012-5525 / XSA-32:
    several hypercalls do not validate input GFNs
We recommend all users of the 4.2.0 code base to update to this
point release.
Among many bug fixes and improvements (around 100 since Xen 4.2.0):
     * A fix for a long standing time management issue
     * Bug fixes for S3 (suspend to RAM) handling
     * Bug fixes for other low level system state handling
     * Bug fixes and improvements to the libxl tool stack
     * Bug fixes to nested virtualization
Among many bug fixes and improvements (around 100 since Xen 4.2.0):
     * A fix for a long standing time management issue
     * Bug fixes for S3 (suspend to RAM) handling
     * Bug fixes for other low level system state handling
     * Bug fixes and improvements to the libxl tool stack
     * Bug fixes to nested virtualization

#2 Updated by Natanael Copa over 6 years ago

  • Project changed from Alpine Security to Alpine Linux

#3 Updated by Natanael Copa about 6 years ago

  • Category set to Security

Also available in: Atom PDF