Bug 974250 (CVE-2013-1432)

Summary: CVE-2013-1432 kernel: xen: Page reference counting error due to XSA-45/CVE-2013-1918 fixes
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: drjones, imammedo, pbonzini, rkrcmar, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-26 13:57:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 978383    
Bug Blocks: 974252    

Description Petr Matousek 2013-06-13 18:55:47 UTC 
The XSA-45/CVE-2013-1918 patch making error handling paths preemptible broke page reference counting by not retaining a reference on pages stored for deferred cleanup. This would lead to the hypervisor prematurely attempting to free the page, generally crashing upon finding the page still in use.

Malicious or buggy PV guest kernels can mount a denial of service attack affecting the whole system. It can't be excluded that this could also be exploited to mount a privilege escalation attack.

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Andrew Cooper and the Citrix XenServer team as the original reporters.
Comment 2 Petr Matousek 2013-06-13 18:58:51 UTC 
Statement:

Not vulnerable.

This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5 because we did not backport CVE-2013-1918 fix.

This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2 because of missing Xen hypervisor support.
Comment 3 Petr Matousek 2013-06-26 13:56:38 UTC 
Created xen tracking bugs for this issue

Affects: fedora-all [bug 978383]
Comment 4 Petr Matousek 2013-06-26 13:57:36 UTC 
Public as per:

  http://seclists.org/oss-sec/2013/q2/618