SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen Memory Mapping Bug Lets Local Guest Administrative Users Deny Service
SecurityTracker Alert ID:  1027761
SecurityTracker URL:  http://securitytracker.com/id/1027761
CVE Reference:   CVE-2012-4537   (Links to External Site)
Date:  Nov 14 2012
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.4.x, 4.0.x, 4.1.x, 4.2.x
Description:   A vulnerability was reported in Xen. A local administrative user on the guest operating system can cause denial of service conditions on the target host operating system.

A local user with administrative privileges on the guest operating system can exhaust memory reserved for the p2m table and cause Xen to crash.

Only systems running HVM guests are affected.

Impact:   A local administrative user on the guest operating system can cause Xen to crash.
Solution:   The vendor has issued a fix (xsa22-3.4.patch, xsa22-4.0.patch, xsa22-4.1.patch, xsa22-4.2-unstable.patch).
Vendor URL:  xen.org/ (Links to External Site)
Cause:   Resource error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 14 2012 (Citrix Issues Fix for XenServer) Xen Memory Mapping Bug Lets Local Guest Administrative Users Deny Service
Citrix has issued a fix for Citrix XenServer.



 Source Message Contents

Date:  Tue, 13 Nov 2012 12:56:13 +0000
Subject:  [oss-security] Xen Security Advisory 22 (CVE-2012-4537) - Memory mapping failure DoS vulnerability

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 Xen Security Advisory CVE-2012-4537 / XSA-22
			      version 4

                  Memory mapping failure DoS vulnerability

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

When set_p2m_entry fails, Xen's internal data structures (the p2m and
m2p tables) can get out of sync.  This failure can be triggered by
unusual guest behaviour exhausting the memory reserved for the p2m
table.  If it happens, subsequent guest-invoked memory operations can
cause Xen to fail an assertion and crash.

IMPACT
======

A malicious guest administrator might be able to cause Xen to crash.

VULNERABLE SYSTEMS
==================

All versions of Xen since at least 3.4 are vulnerable.

The vulnerability is only exposed to HVM guests.

MITIGATION
==========

There is no mitigation available other than to use a trusted guest
kernel.

RESOLUTION
==========

The attached patch resolves this issue.

Applying the appropriate attached patch resolves this issue.

xsa22-4.2-unstable.patch    Xen 4.2.x, xen-unstable
xsa22-4.1.patch             Xen 4.1.x
xsa22-4.0.patch             Xen 4.0.x
xsa22-3.4.patch             Xen 3.4.x

$ sha256sum xsa22*.patch
fe21558f098340451a275c468a7b2209915676f4f41ec394970c6aa0df3d93d3  xsa22-3.4.patch
b7e635ae07f31ac8ecb8732152ba66897ea6d0f5e30468e35d7c37379c7369bb  xsa22-4.0.patch
e699e7af6b90e60531d98f04197141c4caf5eb4cdb312a43e736830eb17d32e1  xsa22-4.1.patch
8dbf850b903179807257febe12a15cb131968e65d2e90dbd3a5f72b83d2f931a  xsa22-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQokGpAAoJEIP+FMlX6CvZUsEIAIL7FtUpAgYTG73BXIpIoJ1h
L85yaAhizzuwWAHMwLBD/oMs+OPzIXsCp4rBHI8XPQ0rf3YeHSj8uI+ta17Th1Gb
KuFFlDPujh5EiE0yel8u21hgsJ7rUpA04jPeYDbVbHPVC6bywf7pkChCEPos/Ze9
gAlRVptdBXH2nGmSyMFDfoby60lDXa7ZP0KoJUyuUG69zDMzlANLiEvk/+mN4YKB
W4uiaYlCeDfrCn4T8Pk9rTMdDWmCsbQpZQRqwwNXdUa/EX0Ccv/QdcppPHoylYeK
DQ9GPZOtDsm4s1M/J1oPVXZI7X/vLuBwje4/hhisFFiO4kLffcKCSopSizgLlO0=
=82B5
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa22-3.4.patch"
Content-Disposition: attachment; filename="xsa22-3.4.patch"
Content-Transfer-Encoding: base64

eDg2L3BoeXNtYXA6IFByZXZlbnQgaW5jb3JyZWN0IHVwZGF0ZXMgb2YgbTJw
IG1hcHBpbmdzCgpJbiBjZXJ0YWluIGNvbmRpdGlvbnMsIHN1Y2ggYXMgbG93
IG1lbW9yeSwgc2V0X3AybV9lbnRyeSgpIGNhbiBmYWlsLgpDdXJyZW50bHks
IHRoZSBwMm0gYW5kIG0ycCB0YWJsZXMgd2lsbCBnZXQgb3V0IG9mIHN5bmMg
YmVjYXVzZSB3ZSBzdGlsbAp1cGRhdGUgdGhlIG0ycCB0YWJsZSBhZnRlciB0
aGUgcDJtIHVwZGF0ZSBoYXMgZmFpbGVkLgoKSWYgdGhhdCBoYXBwZW5zLCBz
dWJzZXF1ZW50IGd1ZXN0LWludm9rZWQgbWVtb3J5IG9wZXJhdGlvbnMgY2Fu
IGNhdXNlCkJVRygpcyBhbmQgQVNTRVJUKClzIHRvIGtpbGwgWGVuLgoKVGhp
cyBpcyBmaXhlZCBieSBvbmx5IHVwZGF0aW5nIHRoZSBtMnAgdGFibGUgaWZm
IHRoZSBwMm0gd2FzCnN1Y2Nlc3NmdWxseSB1cGRhdGVkLgoKVGhpcyBpcyBh
IHNlY3VyaXR5IHByb2JsZW0sIFhTQS0yMiAvIENWRS0yMDEyLTQ1MzcuCgpT
aWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0Bj
aXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJl
bGxAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFj
a3NvbkBldS5jaXRyaXguY29tPgpbIEFkZCBiYWNrcG9ydCBvZiAyMDUxNjpj
NGU2MjBhMmU2NWMgdG8gY29ycmVjdCBlcnJvciByZXR1cm4gZnJvbSBzZXRf
cDJtX2VudHJ5IF0KCmRpZmYgLXIgMTQ3MDlkMTk2ZTQzIHhlbi9hcmNoL3g4
Ni9tbS9wMm0uYwotLS0gYS94ZW4vYXJjaC94ODYvbW0vcDJtLmMJV2VkIEp1
biAzMCAxODoyNjoxMyAyMDEwICswMTAwCisrKyBiL3hlbi9hcmNoL3g4Ni9t
bS9wMm0uYwlGcmkgT2N0IDI2IDExOjI3OjQ0IDIwMTIgKzAxMDAKQEAgLTE1
MDAsMTQgKzE1MDAsMTUgQEAgaW50IHNldF9wMm1fZW50cnkoc3RydWN0IGRv
bWFpbiAqZCwgdW5zaQogewogICAgIHVuc2lnbmVkIGxvbmcgdG9kbyA9IDF1
bCA8PCBwYWdlX29yZGVyOwogICAgIHVuc2lnbmVkIGludCBvcmRlcjsKLSAg
ICBpbnQgcmMgPSAwOworICAgIGludCByYyA9IDE7CiAKICAgICB3aGlsZSAo
IHRvZG8gKQogICAgIHsKICAgICAgICAgb3JkZXIgPSAoKCgoZ2ZuIHwgbWZu
X3gobWZuKSB8IHRvZG8pICYgKFNVUEVSUEFHRV9QQUdFUyAtIDEpKSA9PSAw
KSAmJgogICAgICAgICAgICAgICAgICBodm1faGFwX2hhc18ybWIoZCkpID8g
OSA6IDA7CiAKLSAgICAgICAgcmMgPSBkLT5hcmNoLnAybS0+c2V0X2VudHJ5
KGQsIGdmbiwgbWZuLCBvcmRlciwgcDJtdCk7CisgICAgICAgIGlmICggIWQt
PmFyY2gucDJtLT5zZXRfZW50cnkoZCwgZ2ZuLCBtZm4sIG9yZGVyLCBwMm10
KSApCisgICAgICAgICAgICByYyA9IDA7CiAgICAgICAgIGdmbiArPSAxdWwg
PDwgb3JkZXI7CiAgICAgICAgIGlmICggbWZuX3gobWZuKSAhPSBJTlZBTElE
X01GTiApCiAgICAgICAgICAgICBtZm4gPSBfbWZuKG1mbl94KG1mbikgKyAo
MXVsIDw8IG9yZGVyKSk7CkBAIC0yMDU0LDcgKzIwNTUsMTAgQEAgZ3Vlc3Rf
cGh5c21hcF9hZGRfZW50cnkoc3RydWN0IGRvbWFpbiAqZAogICAgIGlmICgg
bWZuX3ZhbGlkKF9tZm4obWZuKSkgKSAKICAgICB7CiAgICAgICAgIGlmICgg
IXNldF9wMm1fZW50cnkoZCwgZ2ZuLCBfbWZuKG1mbiksIHBhZ2Vfb3JkZXIs
IHQpICkKKyAgICAgICAgewogICAgICAgICAgICAgcmMgPSAtRUlOVkFMOwor
ICAgICAgICAgICAgZ290byBvdXQ7IC8qIEZhaWxlZCB0byB1cGRhdGUgcDJt
LCBiYWlsIHdpdGhvdXQgdXBkYXRpbmcgbTJwLiAqLworICAgICAgICB9CiAg
ICAgICAgIGZvciAoIGkgPSAwOyBpIDwgKDFVTCA8PCBwYWdlX29yZGVyKTsg
aSsrICkKICAgICAgICAgICAgIHNldF9ncGZuX2Zyb21fbWZuKG1mbitpLCBn
Zm4raSk7CiAgICAgfQpAQCAtMjA3Miw2ICsyMDc2LDcgQEAgZ3Vlc3RfcGh5
c21hcF9hZGRfZW50cnkoc3RydWN0IGRvbWFpbiAqZAogICAgICAgICB9CiAg
ICAgfQogCitvdXQ6CiAgICAgYXVkaXRfcDJtKGQpOwogICAgIHAybV91bmxv
Y2soZC0+YXJjaC5wMm0pOwogCg==

--=separator
Content-Type: application/octet-stream; name="xsa22-4.0.patch"
Content-Disposition: attachment; filename="xsa22-4.0.patch"
Content-Transfer-Encoding: base64

eDg2L3BoeXNtYXA6IFByZXZlbnQgaW5jb3JyZWN0IHVwZGF0ZXMgb2YgbTJw
IG1hcHBpbmdzCgpJbiBjZXJ0YWluIGNvbmRpdGlvbnMsIHN1Y2ggYXMgbG93
IG1lbW9yeSwgc2V0X3AybV9lbnRyeSgpIGNhbiBmYWlsLgpDdXJyZW50bHks
IHRoZSBwMm0gYW5kIG0ycCB0YWJsZXMgd2lsbCBnZXQgb3V0IG9mIHN5bmMg
YmVjYXVzZSB3ZSBzdGlsbAp1cGRhdGUgdGhlIG0ycCB0YWJsZSBhZnRlciB0
aGUgcDJtIHVwZGF0ZSBoYXMgZmFpbGVkLgoKSWYgdGhhdCBoYXBwZW5zLCBz
dWJzZXF1ZW50IGd1ZXN0LWludm9rZWQgbWVtb3J5IG9wZXJhdGlvbnMgY2Fu
IGNhdXNlCkJVRygpcyBhbmQgQVNTRVJUKClzIHRvIGtpbGwgWGVuLgoKVGhp
cyBpcyBmaXhlZCBieSBvbmx5IHVwZGF0aW5nIHRoZSBtMnAgdGFibGUgaWZm
IHRoZSBwMm0gd2FzCnN1Y2Nlc3NmdWxseSB1cGRhdGVkLgoKVGhpcyBpcyBh
IHNlY3VyaXR5IHByb2JsZW0sIFhTQS0yMiAvIENWRS0yMDEyLTQ1MzcuCgpT
aWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0Bj
aXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJl
bGxAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFj
a3NvbkBldS5jaXRyaXguY29tPgoKZGlmZiAtciBiNDRjNzJmMThmOWYgeGVu
L2FyY2gveDg2L21tL3AybS5jCi0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9wMm0u
YworKysgYi94ZW4vYXJjaC94ODYvbW0vcDJtLmMKQEAgLTIyMDcsNyArMjIw
NywxMCBAQCBndWVzdF9waHlzbWFwX2FkZF9lbnRyeShzdHJ1Y3QgZG9tYWlu
ICpkCiAgICAgaWYgKCBtZm5fdmFsaWQoX21mbihtZm4pKSApIAogICAgIHsK
ICAgICAgICAgaWYgKCAhc2V0X3AybV9lbnRyeShkLCBnZm4sIF9tZm4obWZu
KSwgcGFnZV9vcmRlciwgdCkgKQorICAgICAgICB7CiAgICAgICAgICAgICBy
YyA9IC1FSU5WQUw7CisgICAgICAgICAgICBnb3RvIG91dDsgLyogRmFpbGVk
IHRvIHVwZGF0ZSBwMm0sIGJhaWwgd2l0aG91dCB1cGRhdGluZyBtMnAuICov
CisgICAgICAgIH0KICAgICAgICAgaWYgKCAhcDJtX2lzX2dyYW50KHQpICkK
ICAgICAgICAgewogICAgICAgICAgICAgZm9yICggaSA9IDA7IGkgPCAoMVVM
IDw8IHBhZ2Vfb3JkZXIpOyBpKysgKQpAQCAtMjIyOCw2ICsyMjMxLDcgQEAg
Z3Vlc3RfcGh5c21hcF9hZGRfZW50cnkoc3RydWN0IGRvbWFpbiAqZAogICAg
ICAgICB9CiAgICAgfQogCitvdXQ6CiAgICAgYXVkaXRfcDJtKGQpOwogICAg
IHAybV91bmxvY2soZC0+YXJjaC5wMm0pOwogCg==

--=separator
Content-Type: application/octet-stream; name="xsa22-4.1.patch"
Content-Disposition: attachment; filename="xsa22-4.1.patch"
Content-Transfer-Encoding: base64

eDg2L3BoeXNtYXA6IFByZXZlbnQgaW5jb3JyZWN0IHVwZGF0ZXMgb2YgbTJw
IG1hcHBpbmdzCgpJbiBjZXJ0YWluIGNvbmRpdGlvbnMsIHN1Y2ggYXMgbG93
IG1lbW9yeSwgc2V0X3AybV9lbnRyeSgpIGNhbiBmYWlsLgpDdXJyZW50bHks
IHRoZSBwMm0gYW5kIG0ycCB0YWJsZXMgd2lsbCBnZXQgb3V0IG9mIHN5bmMg
YmVjYXVzZSB3ZSBzdGlsbAp1cGRhdGUgdGhlIG0ycCB0YWJsZSBhZnRlciB0
aGUgcDJtIHVwZGF0ZSBoYXMgZmFpbGVkLgoKSWYgdGhhdCBoYXBwZW5zLCBz
dWJzZXF1ZW50IGd1ZXN0LWludm9rZWQgbWVtb3J5IG9wZXJhdGlvbnMgY2Fu
IGNhdXNlCkJVRygpcyBhbmQgQVNTRVJUKClzIHRvIGtpbGwgWGVuLgoKVGhp
cyBpcyBmaXhlZCBieSBvbmx5IHVwZGF0aW5nIHRoZSBtMnAgdGFibGUgaWZm
IHRoZSBwMm0gd2FzCnN1Y2Nlc3NmdWxseSB1cGRhdGVkLgoKVGhpcyBpcyBh
IHNlY3VyaXR5IHByb2JsZW0sIFhTQS0yMiAvIENWRS0yMDEyLTQ1MzcuCgpT
aWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0Bj
aXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJl
bGxAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFj
a3NvbkBldS5jaXRyaXguY29tPgoKZGlmZiAtciAzYTI3ZjRlNDRiNmEgeGVu
L2FyY2gveDg2L21tL3AybS5jCi0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9wMm0u
YworKysgYi94ZW4vYXJjaC94ODYvbW0vcDJtLmMKQEAgLTI1NTgsNyArMjU1
OCwxMCBAQCBndWVzdF9waHlzbWFwX2FkZF9lbnRyeShzdHJ1Y3QgcDJtX2Rv
bWFpCiAgICAgaWYgKCBtZm5fdmFsaWQoX21mbihtZm4pKSApIAogICAgIHsK
ICAgICAgICAgaWYgKCAhc2V0X3AybV9lbnRyeShwMm0sIGdmbiwgX21mbiht
Zm4pLCBwYWdlX29yZGVyLCB0LCBwMm0tPmRlZmF1bHRfYWNjZXNzKSApCisg
ICAgICAgIHsKICAgICAgICAgICAgIHJjID0gLUVJTlZBTDsKKyAgICAgICAg
ICAgIGdvdG8gb3V0OyAvKiBGYWlsZWQgdG8gdXBkYXRlIHAybSwgYmFpbCB3
aXRob3V0IHVwZGF0aW5nIG0ycC4gKi8KKyAgICAgICAgfQogICAgICAgICBp
ZiAoICFwMm1faXNfZ3JhbnQodCkgKQogICAgICAgICB7CiAgICAgICAgICAg
ICBmb3IgKCBpID0gMDsgaSA8ICgxVUwgPDwgcGFnZV9vcmRlcik7IGkrKyAp
CkBAIC0yNTc5LDYgKzI1ODIsNyBAQCBndWVzdF9waHlzbWFwX2FkZF9lbnRy
eShzdHJ1Y3QgcDJtX2RvbWFpCiAgICAgICAgIH0KICAgICB9CiAKK291dDoK
ICAgICBhdWRpdF9wMm0ocDJtLCAxKTsKICAgICBwMm1fdW5sb2NrKHAybSk7
CiAK

--=separator
Content-Type: application/octet-stream; name="xsa22-4.2-unstable.patch"
Content-Disposition: attachment; filename="xsa22-4.2-unstable.patch"
Content-Transfer-Encoding: base64

eDg2L3BoeXNtYXA6IFByZXZlbnQgaW5jb3JyZWN0IHVwZGF0ZXMgb2YgbTJw
IG1hcHBpbmdzCgpJbiBjZXJ0YWluIGNvbmRpdGlvbnMsIHN1Y2ggYXMgbG93
IG1lbW9yeSwgc2V0X3AybV9lbnRyeSgpIGNhbiBmYWlsLgpDdXJyZW50bHks
IHRoZSBwMm0gYW5kIG0ycCB0YWJsZXMgd2lsbCBnZXQgb3V0IG9mIHN5bmMg
YmVjYXVzZSB3ZSBzdGlsbAp1cGRhdGUgdGhlIG0ycCB0YWJsZSBhZnRlciB0
aGUgcDJtIHVwZGF0ZSBoYXMgZmFpbGVkLgoKSWYgdGhhdCBoYXBwZW5zLCBz
dWJzZXF1ZW50IGd1ZXN0LWludm9rZWQgbWVtb3J5IG9wZXJhdGlvbnMgY2Fu
IGNhdXNlCkJVRygpcyBhbmQgQVNTRVJUKClzIHRvIGtpbGwgWGVuLgoKVGhp
cyBpcyBmaXhlZCBieSBvbmx5IHVwZGF0aW5nIHRoZSBtMnAgdGFibGUgaWZm
IHRoZSBwMm0gd2FzCnN1Y2Nlc3NmdWxseSB1cGRhdGVkLgoKVGhpcyBpcyBh
IHNlY3VyaXR5IHByb2JsZW0sIFhTQS0yMiAvIENWRS0yMDEyLTQ1MzcuCgpT
aWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0Bj
aXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJl
bGxAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFj
a3NvbkBldS5jaXRyaXguY29tPgoKZGlmZiAtciBmNTNiOWY5MTVjM2QgeGVu
L2FyY2gveDg2L21tL3AybS5jCi0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9wMm0u
YworKysgYi94ZW4vYXJjaC94ODYvbW0vcDJtLmMKQEAgLTYzMyw3ICs2MzMs
MTAgQEAgZ3Vlc3RfcGh5c21hcF9hZGRfZW50cnkoc3RydWN0IGRvbWFpbiAq
ZAogICAgIGlmICggbWZuX3ZhbGlkKF9tZm4obWZuKSkgKSAKICAgICB7CiAg
ICAgICAgIGlmICggIXNldF9wMm1fZW50cnkocDJtLCBnZm4sIF9tZm4obWZu
KSwgcGFnZV9vcmRlciwgdCwgcDJtLT5kZWZhdWx0X2FjY2VzcykgKQorICAg
ICAgICB7CiAgICAgICAgICAgICByYyA9IC1FSU5WQUw7CisgICAgICAgICAg
ICBnb3RvIG91dDsgLyogRmFpbGVkIHRvIHVwZGF0ZSBwMm0sIGJhaWwgd2l0
aG91dCB1cGRhdGluZyBtMnAuICovCisgICAgICAgIH0KICAgICAgICAgaWYg
KCAhcDJtX2lzX2dyYW50KHQpICkKICAgICAgICAgewogICAgICAgICAgICAg
Zm9yICggaSA9IDA7IGkgPCAoMVVMIDw8IHBhZ2Vfb3JkZXIpOyBpKysgKQpA
QCAtNjU2LDYgKzY1OSw3IEBAIGd1ZXN0X3BoeXNtYXBfYWRkX2VudHJ5KHN0
cnVjdCBkb21haW4gKmQKICAgICAgICAgfQogICAgIH0KIAorb3V0OgogICAg
IHAybV91bmxvY2socDJtKTsKIAogICAgIHJldHVybiByYzsK

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC