Bug 877404 - (CVE-2012-5525) CVE-2012-5525 kernel: xen: several hypercalls do not validate input GFNs
CVE-2012-5525 kernel: xen: several hypercalls do not validate input GFNs
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 883094
Blocks: 877406
  Show dependency treegraph
Reported: 2012-11-16 07:39 EST by Petr Matousek
Modified: 2013-08-24 10:03 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-24 10:03:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2012-11-16 07:39:45 EST
The function get_page_from_gfn does not validate its input GFN. An
invalid GFN passed to a hypercall which uses this function will cause
the hypervisor to read off the end of the frame table and potentially
A malicious PV guest administrator can cause Xen to crash.
If the out of bounds access does not lead to a crash, a carefully
crafted privilege escalation cannot be excluded, even though the guest
doesn't itself control the values written.

Red Hat would like to thank the Xen project for reporting this issue.
Comment 3 Petr Matousek 2012-11-16 07:43:10 EST

Not vulnerable.

This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.

This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as we did not have support for Xen hypervisor.
Comment 4 Petr Matousek 2012-12-03 13:26:45 EST
Created xen tracking bugs for this issue

Affects: fedora-all [bug 883094]
Comment 5 Fedora Update System 2012-12-11 19:16:33 EST
xen-4.2.0-6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.