A flaw was found in the way xen_failsafe_callback() handled failed iret, which causes the stack pointer to be wrong when entering the iret_exc error path. An unprivileged local guest user in the 32-bit PV Xen domain could use this flaw to crash the guest. References: http://www.openwall.com/lists/oss-security/2013/01/16/6 Acknowledgements: Red Hat would like to thank the Andrew Cooper of Citrix for reporting this issue.
Created attachment 679616 [details] Upstream proposed patch
Created kernel tracking bugs for this issue Affects: fedora-all [bug 896051]
Statement: This issue did not affect Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2.
I'm brewing a build with the proposed patch: https://brewweb.devel.redhat.com/taskinfo?taskID=5278913 and taking a stab at writing a reproducer.
kernel-3.7.2-204.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.7.3-101.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0496 https://rhn.redhat.com/errata/RHSA-2013-0496.html