[v2.6] Multiple vulnerabilities in Xen 4.1/4.2 allow remote denial of service
I’m reporting here a several Xen SAs. They are just too many to be reported one by one, and I’m not sure if they have been fixed yet or not. I could not find any reference to CVEs or XSA numbers in the commit messages.
cVE-2012-4535 (XSA 20): Timer overflow DoS vulnerability
A guest which sets a VCPU with an inappropriate deadline can cause an
infinite loop in Xen, blocking the affected physical CPU indefinitely.
CVE-2012-4537 (XSA 22): Memory mapping failure DoS vulnerability
When set_p2m_entry fails, Xen’s internal data structures (the p2m and
tables) can get out of sync. This failure can be triggered by unusual guest
behaviour exhausting the memory reserved for the p2m table. If it happens,
subsequent guest-invoked memory operations can cause Xen to fail an assertion
CVE-2012-4538 (XSA 23): Unhooking empty PAE entries DoS vulnerability
The HVMOP_pagetable_dying hypercall does not correctly check the
caller’s pagetable state, leading to a hypervisor crash.
CVE-2012-4539 (XSA 24): Grant table hypercall infinite loop DoS vulnerability
Due to inappropriate duplicate use of the same loop control variable,
passing bad arguments to GNTTABOP_get_status_frames can cause an
infinite loop in the compat hypercall handler.
CVE-2012-5510 (XSA 26): Grant table version switch list corruption vulnerability
Downgrading the grant table version of a guest involves freeing its
pages. This freeing was incomplete - the page(s) are freed back to the
allocator, but not removed from the domain’s tracking list. This would cause
list corruption, eventually leading to a hypervisor crash.
CVE-2012-5513 (XSA 29): XENMEM_exchange may overwrite hypervisor memory
The handler for XENMEM_exchange accesses guest memory without range
the guest provided addresses, thus allowing these accesses to include the
hypervisor reserved range.
A malicious guest administrator can cause Xen to crash. If the out of address
space bounds access does not lead to a crash, a carefully crafted privilege
escalation cannot be excluded, even though the guest doesn’t itself control
the values written.
(from redmine: issue id 1557, created on 2013-01-17, closed on 2013-01-17)