Lucene search

K
xenXen ProjectXSA-145
HistoryOct 29, 2015 - 11:59 a.m.

arm: Host crash when preempting a multicall

2015-10-2911:59:00
Xen Project
xenbits.xen.org
53

CVSS2

4.9

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

EPSS

0.001

Percentile

26.7%

ISSUE DESCRIPTION

Early versions of Xen on ARM did not support “multicall” functionality (the ability to perform multiple operations via a single hypercall) and therefore stubbed out the functionality needed to support preemption of multicalls in a manner which crashed the host.
When multicall support was subsequently added these stubs were not replaced with the correct functionality and therefore exposed to guests a code path which crashes the host.
Any guest can issue a preemptable hypercall via the multicall interface to exploit this vulnerability.

IMPACT

A malicious guest can crash the host.

VULNERABLE SYSTEMS

Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward.
x86 systems are not vulnerable.

CVSS2

4.9

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

EPSS

0.001

Percentile

26.7%