Vigil@nce: Xen, denial of service via arch_set_info_guest
March 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker in a x86 64 bit guest can change the mode of a
VCPU, in order to stop the Xen host.
– Severity: 1/4
– Creation date: 17/03/2011
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The arch_set_info_guest() function of the xen/arch/x86/domain.c
file configures the VCPU of a Xen guest.
In 64 bit, this function does not check if the memory is in user
space before changing the VCPU to user mode.
A local attacker in a x86 64 bit guest can therefore change the
mode of a VCPU, in order to stop the Xen host.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-denial-of-service-via-arch-set-info-guest-10461