Bug 974250 (CVE-2013-1432) - CVE-2013-1432 kernel: xen: Page reference counting error due to XSA-45/CVE-2013-1918 fixes
Summary: CVE-2013-1432 kernel: xen: Page reference counting error due to XSA-45/CVE-20...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-1432
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 978383
Blocks: 974252
TreeView+ depends on / blocked
 
Reported: 2013-06-13 18:55 UTC by Petr Matousek
Modified: 2019-09-29 13:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-06-26 13:57:36 UTC


Attachments (Terms of Use)

Description Petr Matousek 2013-06-13 18:55:47 UTC
The XSA-45/CVE-2013-1918 patch making error handling paths preemptible broke page reference counting by not retaining a reference on pages stored for deferred cleanup. This would lead to the hypervisor prematurely attempting to free the page, generally crashing upon finding the page still in use.

Malicious or buggy PV guest kernels can mount a denial of service attack affecting the whole system. It can't be excluded that this could also be exploited to mount a privilege escalation attack.

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Andrew Cooper and the Citrix XenServer team as the original reporters.

Comment 2 Petr Matousek 2013-06-13 18:58:51 UTC
Statement:

Not vulnerable.

This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5 because we did not backport CVE-2013-1918 fix.

This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2 because of missing Xen hypervisor support.

Comment 3 Petr Matousek 2013-06-26 13:56:38 UTC
Created xen tracking bugs for this issue

Affects: fedora-all [bug 978383]

Comment 4 Petr Matousek 2013-06-26 13:57:36 UTC
Public as per:

  http://seclists.org/oss-sec/2013/q2/618


Note You need to log in before you can comment on or make changes to this bug.