[kernel-xen] Xen Security Advisory 86 - libvchan failure handling malicious ring indexes

Steven Haigh netwiz at crc.id.au
Fri Feb 7 00:37:10 EST 2014


                     Xen Security Advisory XSA-86
                              version 2

           libvchan failure handling malicious ring indexes

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

libvchan (a library for inter-domain communication) does not correctly
handle unusual or malicious contents in the xenstore ring.  A
malicious guest can exploit this to cause a libvchan-using facility to
read or write past the end of the ring.

IMPACT
======

libvchan-using facilities are vulnerable to denial of service and
perhaps privilege escalation.

There are no such services provided in the upstream Xen Project
codebase.

VULNERABLE SYSTEMS
==================

All versions of libvchan are vulnerable.  Only installations which use
libvchan for communication involving untrusted domains are vulnerable.

libvirt, xapi, xend, libxl and xl do not use libvchan.  If your
installation contains other Xen-related software components it is
possible that they use libvchan and might be vulnerable.

Xen versions 4.1 and earlier do not contain libvchan.

MITIGATION
==========

Disabling libvchan-based facilities could be used to mitigate the
vulnerability.

CREDITS
=======

This issue was discovered by Marek Marczykowski-Górecki of Invisible
Things Lab.

RESOLUTION
==========

Fixed in xen-4.2.3-13

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20140207/278090ac/attachment.sig>


More information about the kernel-xen mailing list