insufficiencies in pv kernel image validation

insufficiencies in pv kernel image validation

[MaoXiaoyun]

[-- Attachment #1.1: Type: text/plain, Size: 947 bytes --]


Hi:
 
   Documented in  https://bugzilla.redhat.com/show_bug.cgi?id=696927.
 
[[[   It has been found that xc_try_bzip2_decode() and xc_try_lzma_decode() decode
routines did not properly check for possible buffer size overflow in the
decoding loop. Specially crafted kernel image file could be created that would
trigger allocation of a small buffer resulting in buffer overflow with user
supplied data.

Additionally, several integer overflows and lack of error/range checking that
could result in the loader reading its own address space or could lead to an
infinite loop have been found.

A privileged DomU user could use these flaws to cause denial of service or,
possibly, execute arbitrary code in Dom0.

Only management domains with 32-bit userland are vulnerable.
]]]
 
 The last line of above,  what is "management domains"? 
 Does Xen 4.0/4.1 suffer this bug? 
 And any patches available?
 
 Thanks. 		 	   		  

[-- Attachment #1.2: Type: text/html, Size: 1365 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: insufficiencies in pv kernel image validation

[Keith Coleman]

2011/5/16 MaoXiaoyun <tinnycloud@hotmail.com>:
> Hi:
>
>    Documented in  https://bugzilla.redhat.com/show_bug.cgi?id=696927.
>
> [[[   It has been found that xc_try_bzip2_decode() and xc_try_lzma_decode()
> decode
> routines did not properly check for possible buffer size overflow in the
> decoding loop. Specially crafted kernel image file could be created that
> would
> trigger allocation of a small buffer resulting in buffer overflow with user
> supplied data.
>
> Additionally, several integer overflows and lack of error/range checking
> that
> could result in the loader reading its own address space or could lead to an
> infinite loop have been found.
>
> A privileged DomU user could use these flaws to cause denial of service or,
> possibly, execute arbitrary code in Dom0.
>
> Only management domains with 32-bit userland are vulnerable.
> ]]]
>
>  The last line of above,  what is "management domains"?
>  Does Xen 4.0/4.1 suffer this bug?
>  And any patches available?
>

Patches were committed to all maintained branches, including xen-3.4,
last Monday.

--
Keith Coleman

Re: insufficiencies in pv kernel image validation

[Ian Jackson]

MaoXiaoyun writes ("[Xen-devel] insufficiencies in pv kernel image validation"):
>    Documented in  https://bugzilla.redhat.com/show_bug.cgi?id=696927.

This is the subject of one of our recent advisories, here:
  http://lists.xensource.com/archives/html/xen-devel/2011-05/msg00483.html

Ian.