From mboxrd@z Thu Jan 1 00:00:00 1970 From: Keith Coleman Subject: Re: insufficiencies in pv kernel image validation Date: Mon, 16 May 2011 13:05:18 -0400 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: MaoXiaoyun Cc: xen devel List-Id: xen-devel@lists.xenproject.org 2011/5/16 MaoXiaoyun : > Hi: > > =A0=A0 Documented in=A0 https://bugzilla.redhat.com/show_bug.cgi?id=3D696= 927. > > [[[=A0=A0 It has been found that xc_try_bzip2_decode() and xc_try_lzma_de= code() > decode > routines did not properly check for possible buffer size overflow in the > decoding loop. Specially crafted kernel image file could be created that > would > trigger allocation of a small buffer resulting in buffer overflow with us= er > supplied data. > > Additionally, several integer overflows and lack of error/range checking > that > could result in the loader reading its own address space or could lead to= an > infinite loop have been found. > > A privileged DomU user could use these flaws to cause denial of service o= r, > possibly, execute arbitrary code in Dom0. > > Only management domains with 32-bit userland are vulnerable. > ]]] > > =A0The last=A0line of=A0above, =A0what is "management domains"? > =A0Does Xen 4.0/4.1 suffer this bug? > =A0And any patches available? > Patches were committed to all maintained branches, including xen-3.4, last Monday. -- Keith Coleman