Bug 974250 - (CVE-2013-1432) CVE-2013-1432 kernel: xen: Page reference counting error due to XSA-45/CVE-2013-1918 fixes
CVE-2013-1432 kernel: xen: Page reference counting error due to XSA-45/CVE-20...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 978383
Blocks: 974252
  Show dependency treegraph
Reported: 2013-06-13 14:55 EDT by Petr Matousek
Modified: 2015-07-27 09:26 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-06-26 09:57:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2013-06-13 14:55:47 EDT
The XSA-45/CVE-2013-1918 patch making error handling paths preemptible broke page reference counting by not retaining a reference on pages stored for deferred cleanup. This would lead to the hypervisor prematurely attempting to free the page, generally crashing upon finding the page still in use.

Malicious or buggy PV guest kernels can mount a denial of service attack affecting the whole system. It can't be excluded that this could also be exploited to mount a privilege escalation attack.


Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Andrew Cooper and the Citrix XenServer team as the original reporters.
Comment 2 Petr Matousek 2013-06-13 14:58:51 EDT

Not vulnerable.

This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5 because we did not backport CVE-2013-1918 fix.

This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2 because of missing Xen hypervisor support.
Comment 3 Petr Matousek 2013-06-26 09:56:38 EDT
Created xen tracking bugs for this issue

Affects: fedora-all [bug 978383]
Comment 4 Petr Matousek 2013-06-26 09:57:36 EDT
Public as per:


Note You need to log in before you can comment on or make changes to this bug.