several hypercalls do not validate input GFNs

2012-12-03T17:51:00
ID XSA-32
Type xen
Reporter Xen Project
Modified 2012-12-03T17:51:00

Description

ISSUE DESCRIPTION

The function get_page_from_gfn does not validate its input GFN. An invalid GFN passed to a hypercall which uses this function will cause the hypervisor to read off the end of the frame table and potentially crash.

IMPACT

A malicious guest administrator of a PV guest can cause Xen to crash. If the out of bounds access does not lead to a crash, a carefully crafted privilege escalation cannot be excluded, even though the guest doesn't itself control the values written.

VULNERABLE SYSTEMS

Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are not vulnerable. The vulnerability is exposed only to PV guests.