Bug 1062329 (CVE-2014-1895)

Summary: CVE-2014-1895 xen: Off-by-one error in FLASK_AVC_CACHESTAT hypercall (xsa-85)
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, anton, dhoward, drjones, imammedo, jforbes, jkurik, kraxel, lwang, m.a.young, mrezanin, pbonzini, pholasek, plougher, rkrcmar, rvrbovsk, virt-maint, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-06 16:46:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1062335    
Bug Blocks: 1062332    

Description Petr Matousek 2014-02-06 16:45:22 UTC 
The FLASK_AVC_CACHESTAT hypercall, which provides access to per-cpu statistics on the Flask security policy, incorrectly validates the CPU for which statistics are being requested.

An attacker can cause the hypervisor to read past the end of an array. This may result in either a host crash, leading to a denial of service, or access to a small and static region of hypervisor memory, leading to an information leak. 

External reference:

http://seclists.org/oss-sec/2014/q1/263

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue.
Comment 1 Petr Matousek 2014-02-06 16:46:40 UTC 
Statement:

Not vulnerable.

This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.

This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2 as we did not have support for Xen hypervisor.
Comment 2 Petr Matousek 2014-02-06 16:59:25 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1062335]
Comment 3 Murray McAllister 2014-02-10 01:00:07 UTC 
This was assigned CVE-2014-1895: http://seclists.org/oss-sec/2014/q1/283