Xen Security Advisory 58 (CVE-2013-1432) - Page reference counting error due to XSA-45/CVE-2013-1918 fixes
references:
http://lists.xen.org/archives/html/xen-announce/2013-06/msg00012.html
ISSUE DESCRIPTION
The XSA-45/CVE-2013-1918 patch making error handling paths preemptible
broke
page reference counting by not retaining a reference on pages stored
for
deferred cleanup. This would lead to the hypervisor prematurely
attempting to
free the page, generally crashing upon finding the page still in use.
CREDITS
Thanks to Andrew Cooper and the Citrix XenServer team for discovering
and reporting this vulnerability, and helping investigate it.
IMPACT
Malicious or buggy PV guest kernels can mount a denial of service
attack
affecting the whole system. It can’t be excluded that this could also
be
exploited to mount a privilege escalation attack.
VULNERABLE SYSTEMS
All Xen versions having the XSA-45/CVE-2013-1918 fixes applied are vulnerable.
The vulnerability is only exposed by PV guests.
MITIGATION
Running only HVM guests, or PV guests with trusted kernels, will avoid
this
vulnerability.
RESOLUTION
Applying the appropriate attached patch resolves this issue.
xsa58-4.1.patch Xen 4.1.x
xsa58-4.2.patch Xen 4.2.x
xsa58-unstable.patch xen-unstable
$ sha256sum xsa58*.patch
3623ec87e5a2830f0d41de19a8e448d618954973c3264727a1f3a095f15a8641
xsa58-4.1.patch
194d6610fc38b767d643e5d58a1268f45921fb35e309b47aca6a388b861311c2
xsa58-4.2.patch
2c94b099d7144d03c0f7f44e892a521537fc040d11bc46f84a2438eece46a0f5
xsa58-unstable.patch
(from redmine: issue id 2123, created on 2013-06-26, closed on 2013-07-03)
- Relations:
- child #2124 (closed)
- child #2125 (closed)
- child #2126 (closed)
- child #2127 (closed)
- Changesets:
- Revision 448e4822 by Natanael Copa on 2013-07-01T16:38:45Z:
main/xen: fix xsa45 and xsa58 (CVE-2013-1918,CVE-2013-1432)
ref #2123- Revision ccdb8c3a by Natanael Copa on 2013-07-01T16:44:49Z:
main/xen: fix xsa45 and xsa58 (CVE-2013-1918,CVE-2013-1432)
ref #2123
fixes #2124
(cherry picked from commit 448e4822bbf8a2b4aa8b8f8d8153a2a0b4e0efda)
Conflicts:
main/xen/APKBUILD- Revision 02b9902f by Natanael Copa on 2013-07-01T16:49:55Z:
main/xen: fix xsa45 and xsa58 (CVE-2013-1918,CVE-2013-1432)
ref #2123
fixes #2125
(cherry picked from commit 448e4822bbf8a2b4aa8b8f8d8153a2a0b4e0efda)
Conflicts:
main/xen/APKBUILD- Revision f87a9718 by Natanael Copa on 2013-07-01T17:02:29Z:
main/xen: main/xen: fix xsa45 and xsa58 (CVE-2013-1918,CVE-2013-1432)
ref #2123
fixes #2126- Revision 14e8058d by Natanael Copa on 2013-07-02T11:54:33Z:
main/xen: main/xen: fix xsa45 and xsa58 (CVE-2013-1918,CVE-2013-1432)
ref #2123
fixes #2127