[kernel-xen] Xen Security Advisory 85 - Off-by-one error in FLASK_AVC_CACHESTAT hypercall

Steven Haigh netwiz at crc.id.au
Fri Feb 7 00:36:34 EST 2014


                     Xen Security Advisory XSA-85
                              version 2

          Off-by-one error in FLASK_AVC_CACHESTAT hypercall

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The FLASK_AVC_CACHESTAT hypercall, which provides access to per-cpu
statistics on the Flask security policy, incorrectly validates the
CPU for which statistics are being requested.

IMPACT
======

An attacker can cause the hypervisor to read past the end of an
array. This may result in either a host crash, leading to a denial of
service, or access to a small and static region of hypervisor memory,
leading to an information leak.

VULNERABLE SYSTEMS
==================

Xen version 4.2 and later are vulnerable to this issue when built with
XSM/Flask support. XSM support is disabled by default and is enabled
by building with XSM_ENABLE=y.

Only systems with the maximum supported number of physical CPUs are
vulnerable. Systems with a greater number of physical CPUs will only
make use of the maximum supported number and are therefore vulnerable.

By default the following maximums apply:
 * x86_32: 128 (only until Xen 4.2.x)
 * x86_64: 256
These defaults can be overridden at build time via max_phys_cpus=N.

The vulnerable hypercall is exposed to all domains.

MITIGATION
==========

Rebuilding Xen with more supported physical CPUs can avoid the
vulnerability; provided that the supported number is strictly greater
than the actual number of CPUs on any host on which the hypervisor is
to run.

If XSM is compiled in, but not actually in use, compiling it out (with
XSM_ENABLE=n) will avoid the vulnerability.

CREDITS
=======

This issue was discovered by Matthew Daley.

RESOLUTION
==========

Fixed in xen-4.2.3-13

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20140207/3102b0fd/attachment.sig>


More information about the kernel-xen mailing list