Vigil@nce - Xen: denial of service via HVMOP_set_mem_type
May 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, located in a guest HVM system with qemu-dm, can call
HVMOP_set_mem_type of Xen, in order to trigger a denial of service.
Impacted products: Unix (platform)
Severity: 1/4
Creation date: 29/04/2014
DESCRIPTION OF THE VULNERABILITY
A Xen guest system can use HVM (Hardware Virtual Machine) with
qemu-dm ("device model", daemon to emulate the hardware).
However, the HVMOP_set_mem_type hypercall does not check if the
memory originates from a valid memory page. A vulnerability of
qemu-dm can then be used to call this hypercall, in order to stop
Xen.
An attacker, located in a guest HVM system with qemu-dm, can
therefore call HVMOP_set_mem_type of Xen, in order to trigger a
denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-denial-of-service-via-HVMOP-set-mem-type-14678