The Python bindings for the xc_vcpu_setaffinity call do not properly check their inputs. Systems which allow untrusted administrators to configure guest vcpu affinity may be exploited to trigger a buffer
overrun and corrupt memory.
An attacker who is able to configure a specific vcpu affinity via a toolstack which uses the Python bindings is able to exploit this issue.
Exploiting this issue leads to memory corruption which may result in a DoS against the system by crashing the toolstack. The possibility of code execution (privilege escalation) has not been ruled out.
The xend toolstack passes a cpumap to this function without sanitization. xend allows the cpumap to be configured via the guest configuration file or the SXP/XenAPI interface. Normally these interfaces are not considered safe to expose to non-trusted parties. However systems which attempt to allow guest administrator control of VCPU affinity in a safe way via xend may expose this issue.
This issue was discovered by Paolo Bonzini and Laszlo Ersek of Red Hat.
This issue does not affect the versions of the xen package as shipped with Red Hat Enterprise Linux 5.
Created xen tracking bugs for this issue
Affects: fedora-all [bug 964241]