The implementation of the HVM control operation HVMOP_inject_msi, while checking whether a particular IRQ was already set up in the necessary way, fails to properly check all respective conditions. In particular it doesn't check the returned pointer for being non-NULL before de- referencing it. Furthermore that same code also handles certain errors by logging messages, without (under default settings) at least making these messages subject to rate limiting. The NULL pointer de-reference would lead to a host crash, and hence a denial of service would result. The spamming of the hypervisor log could similarly lead to a denial of service. Acknowledgements: Red Hat would like to thank the Xen project for reporting this issue.
Statement: Not vulnerable. This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5. This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2 as we did not have support for Xen hypervisor.
External references: http://www.openwall.com/lists/oss-security/2014/06/03/9
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1104583]