* insufficiencies in pv kernel image validation [not found] <BAY0-MC2-F46jsbFMAv00186193@bay0-mc2-f46.Bay0.hotmail.com> @ 2011-05-16 16:38 ` MaoXiaoyun 2011-05-16 17:05 ` Keith Coleman 2011-05-20 14:00 ` Ian Jackson 0 siblings, 2 replies; 3+ messages in thread From: MaoXiaoyun @ 2011-05-16 16:38 UTC (permalink / raw) To: xen devel [-- Attachment #1.1: Type: text/plain, Size: 947 bytes --] Hi: Documented in https://bugzilla.redhat.com/show_bug.cgi?id=696927. [[[ It has been found that xc_try_bzip2_decode() and xc_try_lzma_decode() decode routines did not properly check for possible buffer size overflow in the decoding loop. Specially crafted kernel image file could be created that would trigger allocation of a small buffer resulting in buffer overflow with user supplied data. Additionally, several integer overflows and lack of error/range checking that could result in the loader reading its own address space or could lead to an infinite loop have been found. A privileged DomU user could use these flaws to cause denial of service or, possibly, execute arbitrary code in Dom0. Only management domains with 32-bit userland are vulnerable. ]]] The last line of above, what is "management domains"? Does Xen 4.0/4.1 suffer this bug? And any patches available? Thanks. [-- Attachment #1.2: Type: text/html, Size: 1365 bytes --] [-- Attachment #2: Type: text/plain, Size: 138 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: insufficiencies in pv kernel image validation 2011-05-16 16:38 ` insufficiencies in pv kernel image validation MaoXiaoyun @ 2011-05-16 17:05 ` Keith Coleman 2011-05-20 14:00 ` Ian Jackson 1 sibling, 0 replies; 3+ messages in thread From: Keith Coleman @ 2011-05-16 17:05 UTC (permalink / raw) To: MaoXiaoyun; +Cc: xen devel 2011/5/16 MaoXiaoyun <tinnycloud@hotmail.com>: > Hi: > > Documented in https://bugzilla.redhat.com/show_bug.cgi?id=696927. > > [[[ It has been found that xc_try_bzip2_decode() and xc_try_lzma_decode() > decode > routines did not properly check for possible buffer size overflow in the > decoding loop. Specially crafted kernel image file could be created that > would > trigger allocation of a small buffer resulting in buffer overflow with user > supplied data. > > Additionally, several integer overflows and lack of error/range checking > that > could result in the loader reading its own address space or could lead to an > infinite loop have been found. > > A privileged DomU user could use these flaws to cause denial of service or, > possibly, execute arbitrary code in Dom0. > > Only management domains with 32-bit userland are vulnerable. > ]]] > > The last line of above, what is "management domains"? > Does Xen 4.0/4.1 suffer this bug? > And any patches available? > Patches were committed to all maintained branches, including xen-3.4, last Monday. -- Keith Coleman ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: insufficiencies in pv kernel image validation 2011-05-16 16:38 ` insufficiencies in pv kernel image validation MaoXiaoyun 2011-05-16 17:05 ` Keith Coleman @ 2011-05-20 14:00 ` Ian Jackson 1 sibling, 0 replies; 3+ messages in thread From: Ian Jackson @ 2011-05-20 14:00 UTC (permalink / raw) To: MaoXiaoyun; +Cc: xen devel MaoXiaoyun writes ("[Xen-devel] insufficiencies in pv kernel image validation"): > Documented in https://bugzilla.redhat.com/show_bug.cgi?id=696927. This is the subject of one of our recent advisories, here: http://lists.xensource.com/archives/html/xen-devel/2011-05/msg00483.html Ian. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-05-20 14:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <BAY0-MC2-F46jsbFMAv00186193@bay0-mc2-f46.Bay0.hotmail.com>
2011-05-16 16:38 ` insufficiencies in pv kernel image validation MaoXiaoyun
2011-05-16 17:05 ` Keith Coleman
2011-05-20 14:00 ` Ian Jackson
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).