Xen.org security team | 18 Apr 17:16 2013

Xen Security Advisory 50 (CVE-2013-1964) - grant table hypercall acquire/release imbalance


	     Xen Security Advisory CVE-2013-1964 / XSA-50

            grant table hypercall acquire/release imbalance

ISSUE DESCRIPTION
=================

When releasing a non-v1 non-transitive grant after doing a grant copy
operation, Xen incorrectly recurses (as if for a transitive grant) and
releases an unrelated grant reference.

IMPACT
======

A malicious guest administrator can cause undefined behaviour;
depending on the dom0 kernel a host crash is possible, but information
leakage or privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS
==================

Xen 4.0 and 4.1 are vulnerable.  Any kind of guest can trigger the
vulnerability.

Xen 4.2 and xen-unstable, as well as Xen 3.x and earlier, are not
vulnerable.

MITIGATION
==========

Using only trustworthy guest kernels will avoid the vulnerability.

Using a debug build of Xen will eliminate the possible information
leak or privilege violation; instead, if the vulnerability is
attacked, Xen will crash.

NOTE REGARDING EMBARGO
======================

A crash resulting from this bug has been reported by a user on the
public xen-devel mailing list.  There is therefore no embargo.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa50-4.1.patch

$ sha256sum xsa50-*.patch
29f76073311a372dd30dd4788447850465d2575d5ff7b2c10912a69e4941fb21  xsa50-4.1.patch
$
Attachment (xsa50-4.1.patch): application/octet-stream, 8 KiB

Gmane