[kernel-xen] Fwd: Xen Security Advisory 25 (CVE-2012-4544) - Xen domain builder Out-of-memory due to malicious kernel/ramdisk

Steven Haigh netwiz at crc.id.au
Sat Oct 27 04:14:52 EST 2012


Just pushed Xen 4.2.0-4 to the repos to address this.


Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299


-------- Original Message --------
Subject: Xen Security Advisory 25 (CVE-2012-4544) - Xen domain builder 
Out-of-memory due to malicious kernel/ramdisk
Date: Fri, 26 Oct 2012 11:01:47 +0000
From: Xen.org security team <security at xen.org>
To: xen-announce at lists.xen.org, xen-devel at lists.xen.org, 
xen-users at lists.xen.org, oss-security at lists.openwall.com
CC: Xen.org security team <security at xen.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2012-4544 / XSA-25

    Xen domain builder Out-of-memory due to malicious kernel/ramdisk

ISSUE DESCRIPTION
=================

The Xen PV domain builder contained no validation of the size of the
supplied kernel or ramdisk either before or after decompression. This
could cause the toolstack to consume all available RAM in the domain
running the domain builder.

IMPACT
======

A malicious guest administrator who can supply a kernel or ramdisk can
exhaust memory in domain 0 leading to a denial of service attack.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

MITIGATION
==========

Running only trusted kernels and ramdisks will avoid this
vulnerability.

Using pvgrub also avoids this vulnerability since the builder will run
in guest context. (nb: use of pygrub *is* vulnerable).

Running only HVM guests will avoid this vulnerability.

RELATED ISSUE
=============

CVE-2012-2625 covers a bug in pygrub which caused that process to
consume excessive amount of memory under similar circumstances to the
above.

This was fixed in xen-unstable (and the fix inherited by Xen 4.2.x) in
revision 25589:60f09d1ab1fe but not called out as a security problem.
This fix is also included, where relevant, in the patches below.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue, including
the related pygrub fix where neccesary.

xsa25-unstable.patch        Xen unstable
xsa25-4.2.patch             Xen 4.2.x
xsa25-4.1.patch             Xen 4.1.x

$ sha256sum xsa25*.patch
613e4b82cdc9cabf9cbd52076118887b298c47e680c2066a28a77f12e9f90606 
xsa25-4.1.patch
135bc089d003f9b97991764c37b1ab8d37e9cbcfa1b9bd7429b4503abe00c8f5 
xsa25-4.2.patch
534495b7eef6e599f5814f0a67fc84fbe2e8eee9d223a09ad178ff63bdcda3dd 
xsa25-unstable.patch

Note that these patches impose a new size limit of 1Gby on both the
compressed and uncompressed sizes of ramdisks.  On some systems it may
be desirable to relax these limits and risk virtual address or memory
exhaustion in the toolstack.  This can be achieved by setting
XC_DOM_DECOMPRESS_MAX to the desired limit (in bytes). This can be
done by building with "APPEND_CFLAGS=-DXC_DOM_DECOMPRESS_MAX=<limit>"
or by editing tools/libxc/xc_dom.h directly.

NOTE REGARDING LACK OF EMBARGO
==============================

These issues have already been discussed in public in various places,
including https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2625
and http://bugs.debian.org/688125.  This advisory is therefore not
subject to an embargo.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQim1nAAoJEIP+FMlX6CvZgw0IAKTyGbRlt5N2i8YbRdAj0+wF
OA4X5G1GlAEf0iGVjYi92/HnVyjWxLSNCKJK4YSWAUrlnkAC2IEUU6vqQOkxN/ic
88D1VS8tEtQwRGa9jNxf4RTCLvdGxrVK4lnSDu7OplgwMDT7O/X+Dq89xKN2VCYw
/iqpzlAndmC0Lqz0U8VlV71JryS5uwg980GWimQaIEinyOWFS5cuImvBamptl+zU
aoU3JxERd3YWASrspm8dBOtwc75DucWY1hOjz52uloodKcJha55Objcm8dn76xwN
JV7sHGFRrQyxHnQJ9GeSuV0RHkxB6VhMXTGWKFaynOLjtUUoidkawgs1ld+Qsms=
=Vj6Q
-----END PGP SIGNATURE-----




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4965 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20121027/9037575e/attachment-0001.p7s>


More information about the kernel-xen mailing list