Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30737
HistoryMay 15, 2014 - 12:00 a.m.

[oss-security] Xen Security Advisory 95 - input handling vulnerabilities loading guest kernel on ARM

2014-05-1500:00:00
vulners.com
16
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                Xen Security Advisory XSA-95
                         version 2

  input handling vulnerabilities loading guest kernel on ARM

UPDATES IN VERSION 2

Public release.

ISSUE DESCRIPTION

When loading a 32-bit ARM guest kernel the Xen tools did not correctly
validate the length of the kernel against the actual image size. This
would then lead to an overrun on the input buffer when loading the
kernel into guest RAM.

Furthermore when checking a 32-bit guest kernel for an appended DTB,
the Xen tools were prone to additional overruns also leading to an
overrun on the input buffer when loading the kernel into guest RAM.
Also, the tools would access a field in the putative DTB header
without checking for its alignment.

When loading a 64-bit ARM guest kernel the tools similarly did not
fully validate the requested load addresses, possibly leading to an
overrun on the input buffer when loading the kernel into guest RAM.

IMPACT

An attacker who can control the kernel used to boot a guest can
exploit these issues.

Exploiting the overflow issues allows information which follows the
guest kernel in the toolstack address space to be copied into the
guest's memory, constituting an information leak.

Alternatively either the overflow or alignment issues could be used to
crash the toolstack process, leading to a denial of service.

VULNERABLE SYSTEMS

ARM systems are vulnerable from Xen 4.4 onwards.

MITIGATION

Ensuring that guests use only trustworthy kernels will avoid this
problem.

CREDITS

This issue was discovered by Thomas Leonard.

RESOLUTION

Applying the attached patch resolves this issue.

xsa95.patch xen-unstable, Xen 4.4.x

$ sha256sum xsa95*.patch
1ab63ff126b92e752e88b240838dd66b66415604eaa3e49e373cb50ad3cdd0af xsa95.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTc0j+AAoJEIP+FMlX6CvZAYIH/29FLbtbM/jnSuMksWvf1G6g
OgM3BhKGWAiNpebvPhhzqsKODchxpbrtGbLEIS9YDD8Qz5pQlnrLMsSBaSnrZvAs
5tQR5EKWpvDZry6THnxVP9OGxzR23+JEPtd1FQuNKiG68MeKmmFiAIGR1HfowSTs
VOoAWZ1h8ep85iI4qz1U4+wbTBAhNwFpM1JH/IUmSTlWbSxXpQomX/lQqrPpiHEs
8zVBMni8HNYlWBEeWTktpc45JXBhbbNSGaqduEO3s8WJBpJd1D+YJ8u+nz2AJVVu
JF6AkC1EL+cR6P7FSQZ+FrA9Spj+kND/SXlPNO/KLMn8QSlItMTUO2qH6UwcPKI=
=2MET
-----END PGP SIGNATURE-----

JSON