[Xen-devel] Xen security advisory CVE-2011-1583 - pv kernel image valida
-----BEGIN PGP SIGNED MESSAGE-----
Xen security advisory CVE-2011-1583
paravirtualised kernel image validation
Xen.org paravirtualised guest image loading functionality has multiple
errors in the validation and decompression of guest kernels.
Vendors and users are urged to apply the attached patch. Some
defensive workarounds are available.
The functions which interpret the kernel image supplied for a
paravirtualised guest, and decompress it into memory when booting the
domain, are incautious. Specifically:
(i) Integer overflow in the decompression loop memory allocator might
result in overrunning the buffer used for the decompressed image;
(ii) Integer overflows and lack of checking of certain length fields
can result in the loader reading its own address space beyond the
size of the supplied kernel image file.
(iii) Lack of error checking in the decompression loop can lead to an
An attacker who can supply a kernel image to be booted as a
paravirtualised guest might be able to:
(i) Escalate privilege, taking control of the management domain and
hence the entire machine.
(ii) Gain knowledge the contents of memory in the management tools.
Depending on the toolstack in use this might contain sensitive
information such as domain management or VNC passwords.
(iii) Cause an infinite loop in the management software, resulting in
denial of service (and excessive resource consumption by the
3. Who is affected, and workarounds
Systems where the guest kernel is provided by untrusted guest
administrators ARE vulnerable; this is the case whether the guest
kernel is provided by ad-hoc or out-of-band means, or via the "pygrub"
tool which automatically finds the kernel in the guest filesystem.
Systems which permit only blessed or approved paravirtualised kernel
images to be used are NOT vulnerable; preventing attackers from
providing hostile kernel images will completely prevent the attacks.
Systems which only run fully virtualised ("HVM") guests are NOT
With respect to each of the three specific issues:
(i) Only management domains with 32-bit userland are vulnerable.
The attack can be defeated by running the management tools with a
virtual address space ulimit of less than 2Gby, for example by
putting "ulimit -v 1000000" in an appropriate point in the
system startup files.
(ii) In the xen.org "xend" management toolstack this exposure is
indeed limited to VNC passwords (and general information about the
number of running domains); in such systems this attack will be
complicated to carry out and not likely to be rewarding.
In the systems using the xen.org "xl" management tool this exposure
is limited to information about the specific guest in question and
is therefore very low impact.
(iii) This attack is very easy to carry out but the impact is low.
Running VMs are not adversely affected. There is no known
In theory it might be possible to pre-validate kernel images. Images
which are accepted and booted by a fixed version of xen are safe to
pass to unfixed versions.
4. Patch information
The proposed patch is attached. There are three separate versions:
cve-2011-1583-4.1.patch for Xen 4.1
cve-2011-1583-4.0.patch for Xen 3.4 and 4.0
cve-2011-1583-unstable.patch for the xen-unstable development tree
$ sha256sum cve-2011-1583-*.patch
$ sha1sum cve-2011-1583-*.patch
These have been applied and pushed to xen-unstable.hg (23322:d9982136d8fa),
xen-4.1-testing (23042:e2e575f8b5d9) and xen-4.0-testing (21482:c2adc059e931).
It will appear in xen-3.4-testing shortly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----
Description: patch for Xen 4.1
Description: patch for Xen 3.4 and 4.0
Description: Patch for xen-unstable
Xen-devel mailing list