From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xen.org security team Subject: Xen Security Advisory 22 (CVE-2012-4537) - Memory mapping failure DoS vulnerability Date: Tue, 13 Nov 2012 12:56:13 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com Cc: "Xen.org security team" List-Id: xen-devel@lists.xenproject.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-4537 / XSA-22 version 4 Memory mapping failure DoS vulnerability UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= When set_p2m_entry fails, Xen's internal data structures (the p2m and m2p tables) can get out of sync. This failure can be triggered by unusual guest behaviour exhausting the memory reserved for the p2m table. If it happens, subsequent guest-invoked memory operations can cause Xen to fail an assertion and crash. IMPACT ====== A malicious guest administrator might be able to cause Xen to crash. VULNERABLE SYSTEMS ================== All versions of Xen since at least 3.4 are vulnerable. The vulnerability is only exposed to HVM guests. MITIGATION ========== There is no mitigation available other than to use a trusted guest kernel. RESOLUTION ========== The attached patch resolves this issue. Applying the appropriate attached patch resolves this issue. xsa22-4.2-unstable.patch Xen 4.2.x, xen-unstable xsa22-4.1.patch Xen 4.1.x xsa22-4.0.patch Xen 4.0.x xsa22-3.4.patch Xen 3.4.x $ sha256sum xsa22*.patch fe21558f098340451a275c468a7b2209915676f4f41ec394970c6aa0df3d93d3 xsa22-3.4.patch b7e635ae07f31ac8ecb8732152ba66897ea6d0f5e30468e35d7c37379c7369bb xsa22-4.0.patch e699e7af6b90e60531d98f04197141c4caf5eb4cdb312a43e736830eb17d32e1 xsa22-4.1.patch 8dbf850b903179807257febe12a15cb131968e65d2e90dbd3a5f72b83d2f931a xsa22-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQokGpAAoJEIP+FMlX6CvZUsEIAIL7FtUpAgYTG73BXIpIoJ1h L85yaAhizzuwWAHMwLBD/oMs+OPzIXsCp4rBHI8XPQ0rf3YeHSj8uI+ta17Th1Gb KuFFlDPujh5EiE0yel8u21hgsJ7rUpA04jPeYDbVbHPVC6bywf7pkChCEPos/Ze9 gAlRVptdBXH2nGmSyMFDfoby60lDXa7ZP0KoJUyuUG69zDMzlANLiEvk/+mN4YKB W4uiaYlCeDfrCn4T8Pk9rTMdDWmCsbQpZQRqwwNXdUa/EX0Ccv/QdcppPHoylYeK DQ9GPZOtDsm4s1M/J1oPVXZI7X/vLuBwje4/hhisFFiO4kLffcKCSopSizgLlO0= =82B5 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa22-3.4.patch" Content-Disposition: attachment; filename="xsa22-3.4.patch" Content-Transfer-Encoding: base64 eDg2L3BoeXNtYXA6IFByZXZlbnQgaW5jb3JyZWN0IHVwZGF0ZXMgb2YgbTJw IG1hcHBpbmdzCgpJbiBjZXJ0YWluIGNvbmRpdGlvbnMsIHN1Y2ggYXMgbG93 IG1lbW9yeSwgc2V0X3AybV9lbnRyeSgpIGNhbiBmYWlsLgpDdXJyZW50bHks IHRoZSBwMm0gYW5kIG0ycCB0YWJsZXMgd2lsbCBnZXQgb3V0IG9mIHN5bmMg YmVjYXVzZSB3ZSBzdGlsbAp1cGRhdGUgdGhlIG0ycCB0YWJsZSBhZnRlciB0 aGUgcDJtIHVwZGF0ZSBoYXMgZmFpbGVkLgoKSWYgdGhhdCBoYXBwZW5zLCBz dWJzZXF1ZW50IGd1ZXN0LWludm9rZWQgbWVtb3J5IG9wZXJhdGlvbnMgY2Fu IGNhdXNlCkJVRygpcyBhbmQgQVNTRVJUKClzIHRvIGtpbGwgWGVuLgoKVGhp cyBpcyBmaXhlZCBieSBvbmx5IHVwZGF0aW5nIHRoZSBtMnAgdGFibGUgaWZm IHRoZSBwMm0gd2FzCnN1Y2Nlc3NmdWxseSB1cGRhdGVkLgoKVGhpcyBpcyBh IHNlY3VyaXR5IHByb2JsZW0sIFhTQS0yMiAvIENWRS0yMDEyLTQ1MzcuCgpT aWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0Bj aXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJl bGxAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFj a3NvbkBldS5jaXRyaXguY29tPgpbIEFkZCBiYWNrcG9ydCBvZiAyMDUxNjpj NGU2MjBhMmU2NWMgdG8gY29ycmVjdCBlcnJvciByZXR1cm4gZnJvbSBzZXRf cDJtX2VudHJ5IF0KCmRpZmYgLXIgMTQ3MDlkMTk2ZTQzIHhlbi9hcmNoL3g4 Ni9tbS9wMm0uYwotLS0gYS94ZW4vYXJjaC94ODYvbW0vcDJtLmMJV2VkIEp1 biAzMCAxODoyNjoxMyAyMDEwICswMTAwCisrKyBiL3hlbi9hcmNoL3g4Ni9t bS9wMm0uYwlGcmkgT2N0IDI2IDExOjI3OjQ0IDIwMTIgKzAxMDAKQEAgLTE1 MDAsMTQgKzE1MDAsMTUgQEAgaW50IHNldF9wMm1fZW50cnkoc3RydWN0IGRv bWFpbiAqZCwgdW5zaQogewogICAgIHVuc2lnbmVkIGxvbmcgdG9kbyA9IDF1 bCA8PCBwYWdlX29yZGVyOwogICAgIHVuc2lnbmVkIGludCBvcmRlcjsKLSAg ICBpbnQgcmMgPSAwOworICAgIGludCByYyA9IDE7CiAKICAgICB3aGlsZSAo IHRvZG8gKQogICAgIHsKICAgICAgICAgb3JkZXIgPSAoKCgoZ2ZuIHwgbWZu X3gobWZuKSB8IHRvZG8pICYgKFNVUEVSUEFHRV9QQUdFUyAtIDEpKSA9PSAw KSAmJgogICAgICAgICAgICAgICAgICBodm1faGFwX2hhc18ybWIoZCkpID8g OSA6IDA7CiAKLSAgICAgICAgcmMgPSBkLT5hcmNoLnAybS0+c2V0X2VudHJ5 KGQsIGdmbiwgbWZuLCBvcmRlciwgcDJtdCk7CisgICAgICAgIGlmICggIWQt PmFyY2gucDJtLT5zZXRfZW50cnkoZCwgZ2ZuLCBtZm4sIG9yZGVyLCBwMm10 KSApCisgICAgICAgICAgICByYyA9IDA7CiAgICAgICAgIGdmbiArPSAxdWwg PDwgb3JkZXI7CiAgICAgICAgIGlmICggbWZuX3gobWZuKSAhPSBJTlZBTElE X01GTiApCiAgICAgICAgICAgICBtZm4gPSBfbWZuKG1mbl94KG1mbikgKyAo MXVsIDw8IG9yZGVyKSk7CkBAIC0yMDU0LDcgKzIwNTUsMTAgQEAgZ3Vlc3Rf cGh5c21hcF9hZGRfZW50cnkoc3RydWN0IGRvbWFpbiAqZAogICAgIGlmICgg bWZuX3ZhbGlkKF9tZm4obWZuKSkgKSAKICAgICB7CiAgICAgICAgIGlmICgg IXNldF9wMm1fZW50cnkoZCwgZ2ZuLCBfbWZuKG1mbiksIHBhZ2Vfb3JkZXIs IHQpICkKKyAgICAgICAgewogICAgICAgICAgICAgcmMgPSAtRUlOVkFMOwor ICAgICAgICAgICAgZ290byBvdXQ7IC8qIEZhaWxlZCB0byB1cGRhdGUgcDJt LCBiYWlsIHdpdGhvdXQgdXBkYXRpbmcgbTJwLiAqLworICAgICAgICB9CiAg ICAgICAgIGZvciAoIGkgPSAwOyBpIDwgKDFVTCA8PCBwYWdlX29yZGVyKTsg aSsrICkKICAgICAgICAgICAgIHNldF9ncGZuX2Zyb21fbWZuKG1mbitpLCBn Zm4raSk7CiAgICAgfQpAQCAtMjA3Miw2ICsyMDc2LDcgQEAgZ3Vlc3RfcGh5 c21hcF9hZGRfZW50cnkoc3RydWN0IGRvbWFpbiAqZAogICAgICAgICB9CiAg ICAgfQogCitvdXQ6CiAgICAgYXVkaXRfcDJtKGQpOwogICAgIHAybV91bmxv Y2soZC0+YXJjaC5wMm0pOwogCg== --=separator Content-Type: application/octet-stream; name="xsa22-4.0.patch" Content-Disposition: attachment; filename="xsa22-4.0.patch" Content-Transfer-Encoding: base64 eDg2L3BoeXNtYXA6IFByZXZlbnQgaW5jb3JyZWN0IHVwZGF0ZXMgb2YgbTJw IG1hcHBpbmdzCgpJbiBjZXJ0YWluIGNvbmRpdGlvbnMsIHN1Y2ggYXMgbG93 IG1lbW9yeSwgc2V0X3AybV9lbnRyeSgpIGNhbiBmYWlsLgpDdXJyZW50bHks IHRoZSBwMm0gYW5kIG0ycCB0YWJsZXMgd2lsbCBnZXQgb3V0IG9mIHN5bmMg YmVjYXVzZSB3ZSBzdGlsbAp1cGRhdGUgdGhlIG0ycCB0YWJsZSBhZnRlciB0 aGUgcDJtIHVwZGF0ZSBoYXMgZmFpbGVkLgoKSWYgdGhhdCBoYXBwZW5zLCBz dWJzZXF1ZW50IGd1ZXN0LWludm9rZWQgbWVtb3J5IG9wZXJhdGlvbnMgY2Fu IGNhdXNlCkJVRygpcyBhbmQgQVNTRVJUKClzIHRvIGtpbGwgWGVuLgoKVGhp cyBpcyBmaXhlZCBieSBvbmx5IHVwZGF0aW5nIHRoZSBtMnAgdGFibGUgaWZm IHRoZSBwMm0gd2FzCnN1Y2Nlc3NmdWxseSB1cGRhdGVkLgoKVGhpcyBpcyBh IHNlY3VyaXR5IHByb2JsZW0sIFhTQS0yMiAvIENWRS0yMDEyLTQ1MzcuCgpT aWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0Bj aXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJl bGxAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFj a3NvbkBldS5jaXRyaXguY29tPgoKZGlmZiAtciBiNDRjNzJmMThmOWYgeGVu L2FyY2gveDg2L21tL3AybS5jCi0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9wMm0u YworKysgYi94ZW4vYXJjaC94ODYvbW0vcDJtLmMKQEAgLTIyMDcsNyArMjIw NywxMCBAQCBndWVzdF9waHlzbWFwX2FkZF9lbnRyeShzdHJ1Y3QgZG9tYWlu ICpkCiAgICAgaWYgKCBtZm5fdmFsaWQoX21mbihtZm4pKSApIAogICAgIHsK ICAgICAgICAgaWYgKCAhc2V0X3AybV9lbnRyeShkLCBnZm4sIF9tZm4obWZu KSwgcGFnZV9vcmRlciwgdCkgKQorICAgICAgICB7CiAgICAgICAgICAgICBy YyA9IC1FSU5WQUw7CisgICAgICAgICAgICBnb3RvIG91dDsgLyogRmFpbGVk IHRvIHVwZGF0ZSBwMm0sIGJhaWwgd2l0aG91dCB1cGRhdGluZyBtMnAuICov CisgICAgICAgIH0KICAgICAgICAgaWYgKCAhcDJtX2lzX2dyYW50KHQpICkK ICAgICAgICAgewogICAgICAgICAgICAgZm9yICggaSA9IDA7IGkgPCAoMVVM IDw8IHBhZ2Vfb3JkZXIpOyBpKysgKQpAQCAtMjIyOCw2ICsyMjMxLDcgQEAg Z3Vlc3RfcGh5c21hcF9hZGRfZW50cnkoc3RydWN0IGRvbWFpbiAqZAogICAg ICAgICB9CiAgICAgfQogCitvdXQ6CiAgICAgYXVkaXRfcDJtKGQpOwogICAg IHAybV91bmxvY2soZC0+YXJjaC5wMm0pOwogCg== --=separator Content-Type: application/octet-stream; name="xsa22-4.1.patch" Content-Disposition: attachment; filename="xsa22-4.1.patch" Content-Transfer-Encoding: base64 eDg2L3BoeXNtYXA6IFByZXZlbnQgaW5jb3JyZWN0IHVwZGF0ZXMgb2YgbTJw IG1hcHBpbmdzCgpJbiBjZXJ0YWluIGNvbmRpdGlvbnMsIHN1Y2ggYXMgbG93 IG1lbW9yeSwgc2V0X3AybV9lbnRyeSgpIGNhbiBmYWlsLgpDdXJyZW50bHks IHRoZSBwMm0gYW5kIG0ycCB0YWJsZXMgd2lsbCBnZXQgb3V0IG9mIHN5bmMg YmVjYXVzZSB3ZSBzdGlsbAp1cGRhdGUgdGhlIG0ycCB0YWJsZSBhZnRlciB0 aGUgcDJtIHVwZGF0ZSBoYXMgZmFpbGVkLgoKSWYgdGhhdCBoYXBwZW5zLCBz dWJzZXF1ZW50IGd1ZXN0LWludm9rZWQgbWVtb3J5IG9wZXJhdGlvbnMgY2Fu IGNhdXNlCkJVRygpcyBhbmQgQVNTRVJUKClzIHRvIGtpbGwgWGVuLgoKVGhp cyBpcyBmaXhlZCBieSBvbmx5IHVwZGF0aW5nIHRoZSBtMnAgdGFibGUgaWZm IHRoZSBwMm0gd2FzCnN1Y2Nlc3NmdWxseSB1cGRhdGVkLgoKVGhpcyBpcyBh IHNlY3VyaXR5IHByb2JsZW0sIFhTQS0yMiAvIENWRS0yMDEyLTQ1MzcuCgpT aWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0Bj aXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJl bGxAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFj a3NvbkBldS5jaXRyaXguY29tPgoKZGlmZiAtciAzYTI3ZjRlNDRiNmEgeGVu L2FyY2gveDg2L21tL3AybS5jCi0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9wMm0u YworKysgYi94ZW4vYXJjaC94ODYvbW0vcDJtLmMKQEAgLTI1NTgsNyArMjU1 OCwxMCBAQCBndWVzdF9waHlzbWFwX2FkZF9lbnRyeShzdHJ1Y3QgcDJtX2Rv bWFpCiAgICAgaWYgKCBtZm5fdmFsaWQoX21mbihtZm4pKSApIAogICAgIHsK ICAgICAgICAgaWYgKCAhc2V0X3AybV9lbnRyeShwMm0sIGdmbiwgX21mbiht Zm4pLCBwYWdlX29yZGVyLCB0LCBwMm0tPmRlZmF1bHRfYWNjZXNzKSApCisg ICAgICAgIHsKICAgICAgICAgICAgIHJjID0gLUVJTlZBTDsKKyAgICAgICAg ICAgIGdvdG8gb3V0OyAvKiBGYWlsZWQgdG8gdXBkYXRlIHAybSwgYmFpbCB3 aXRob3V0IHVwZGF0aW5nIG0ycC4gKi8KKyAgICAgICAgfQogICAgICAgICBp ZiAoICFwMm1faXNfZ3JhbnQodCkgKQogICAgICAgICB7CiAgICAgICAgICAg ICBmb3IgKCBpID0gMDsgaSA8ICgxVUwgPDwgcGFnZV9vcmRlcik7IGkrKyAp CkBAIC0yNTc5LDYgKzI1ODIsNyBAQCBndWVzdF9waHlzbWFwX2FkZF9lbnRy eShzdHJ1Y3QgcDJtX2RvbWFpCiAgICAgICAgIH0KICAgICB9CiAKK291dDoK ICAgICBhdWRpdF9wMm0ocDJtLCAxKTsKICAgICBwMm1fdW5sb2NrKHAybSk7 CiAK --=separator Content-Type: application/octet-stream; name="xsa22-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa22-4.2-unstable.patch" Content-Transfer-Encoding: base64 eDg2L3BoeXNtYXA6IFByZXZlbnQgaW5jb3JyZWN0IHVwZGF0ZXMgb2YgbTJw IG1hcHBpbmdzCgpJbiBjZXJ0YWluIGNvbmRpdGlvbnMsIHN1Y2ggYXMgbG93 IG1lbW9yeSwgc2V0X3AybV9lbnRyeSgpIGNhbiBmYWlsLgpDdXJyZW50bHks IHRoZSBwMm0gYW5kIG0ycCB0YWJsZXMgd2lsbCBnZXQgb3V0IG9mIHN5bmMg YmVjYXVzZSB3ZSBzdGlsbAp1cGRhdGUgdGhlIG0ycCB0YWJsZSBhZnRlciB0 aGUgcDJtIHVwZGF0ZSBoYXMgZmFpbGVkLgoKSWYgdGhhdCBoYXBwZW5zLCBz dWJzZXF1ZW50IGd1ZXN0LWludm9rZWQgbWVtb3J5IG9wZXJhdGlvbnMgY2Fu IGNhdXNlCkJVRygpcyBhbmQgQVNTRVJUKClzIHRvIGtpbGwgWGVuLgoKVGhp cyBpcyBmaXhlZCBieSBvbmx5IHVwZGF0aW5nIHRoZSBtMnAgdGFibGUgaWZm IHRoZSBwMm0gd2FzCnN1Y2Nlc3NmdWxseSB1cGRhdGVkLgoKVGhpcyBpcyBh IHNlY3VyaXR5IHByb2JsZW0sIFhTQS0yMiAvIENWRS0yMDEyLTQ1MzcuCgpT aWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0Bj aXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJl bGxAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFj a3NvbkBldS5jaXRyaXguY29tPgoKZGlmZiAtciBmNTNiOWY5MTVjM2QgeGVu L2FyY2gveDg2L21tL3AybS5jCi0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9wMm0u YworKysgYi94ZW4vYXJjaC94ODYvbW0vcDJtLmMKQEAgLTYzMyw3ICs2MzMs MTAgQEAgZ3Vlc3RfcGh5c21hcF9hZGRfZW50cnkoc3RydWN0IGRvbWFpbiAq ZAogICAgIGlmICggbWZuX3ZhbGlkKF9tZm4obWZuKSkgKSAKICAgICB7CiAg ICAgICAgIGlmICggIXNldF9wMm1fZW50cnkocDJtLCBnZm4sIF9tZm4obWZu KSwgcGFnZV9vcmRlciwgdCwgcDJtLT5kZWZhdWx0X2FjY2VzcykgKQorICAg ICAgICB7CiAgICAgICAgICAgICByYyA9IC1FSU5WQUw7CisgICAgICAgICAg ICBnb3RvIG91dDsgLyogRmFpbGVkIHRvIHVwZGF0ZSBwMm0sIGJhaWwgd2l0 aG91dCB1cGRhdGluZyBtMnAuICovCisgICAgICAgIH0KICAgICAgICAgaWYg KCAhcDJtX2lzX2dyYW50KHQpICkKICAgICAgICAgewogICAgICAgICAgICAg Zm9yICggaSA9IDA7IGkgPCAoMVVMIDw8IHBhZ2Vfb3JkZXIpOyBpKysgKQpA QCAtNjU2LDYgKzY1OSw3IEBAIGd1ZXN0X3BoeXNtYXBfYWRkX2VudHJ5KHN0 cnVjdCBkb21haW4gKmQKICAgICAgICAgfQogICAgIH0KIAorb3V0OgogICAg IHAybV91bmxvY2socDJtKTsKIAogICAgIHJldHVybiByYzsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --=separator--