The HVMOP_set_mem_access operation handler uses an input as an array index before range checking it. A malicious HVM guest administrator can cause Xen to crash. If the out of array bounds access does not crash, the arbitrary value read will be used if the caller reads back the default access through the HVMOP_get_mem_access operation, thus causing an information leak. The caller cannot, however, directly control the address from which to read, since the value read in the first step will be used as an array index again in the second step. Acknowledgements: Red Hat would like to thank the Xen project for reporting this issue.
Statement: Not vulnerable. This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5. This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as we did not have support for Xen hypervisor.
Created xen tracking bugs for this issue Affects: fedora-all [bug 883085]
xen-4.1.3-7.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.1.3-6.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.