This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] insufficiencies in pv kernel image validation

To: MaoXiaoyun <tinnycloud@xxxxxxxxxxx>
Subject: Re: [Xen-devel] insufficiencies in pv kernel image validation
From: Keith Coleman <keith.coleman@xxxxxxxxxxxxx>
Date: Mon, 16 May 2011 13:05:18 -0400
Cc: xen devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 16 May 2011 10:06:27 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <BLU157-w25813DF684C02E299E97A9DA8D0@xxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <BAY0-MC2-F46jsbFMAv00186193@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <BLU157-w25813DF684C02E299E97A9DA8D0@xxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
2011/5/16 MaoXiaoyun <tinnycloud@xxxxxxxxxxx>:
> Hi:
>    Documented in  https://bugzilla.redhat.com/show_bug.cgi?id=696927.
> [[[   It has been found that xc_try_bzip2_decode() and xc_try_lzma_decode()
> decode
> routines did not properly check for possible buffer size overflow in the
> decoding loop. Specially crafted kernel image file could be created that
> would
> trigger allocation of a small buffer resulting in buffer overflow with user
> supplied data.
> Additionally, several integer overflows and lack of error/range checking
> that
> could result in the loader reading its own address space or could lead to an
> infinite loop have been found.
> A privileged DomU user could use these flaws to cause denial of service or,
> possibly, execute arbitrary code in Dom0.
> Only management domains with 32-bit userland are vulnerable.
> ]]]
>  The last line of above,  what is "management domains"?
>  Does Xen 4.0/4.1 suffer this bug?
>  And any patches available?

Patches were committed to all maintained branches, including xen-3.4,
last Monday.

Keith Coleman

Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>