ISSUE DESCRIPTION ================= When polling event channels, in general arbitrary port numbers can be specified. Specifically, there is no requirement that a polled event channel ports has ever been created. When the code was generalised from an earlier implementation, introducing some intermediate pointers, a check should have been made that these intermediate pointers are non-NULL. However, that check was omitted. IMPACT ====== A malicious or buggy guest may cause the hypervisor to access addresses it doesn't control, usually leading to a host crash (Denial of Service). Information leaks cannot be excluded. VULNERABLE SYSTEMS ================== Xen versions 4.4 and newer are vulnerable. Xen versions 4.3 and earlier are not affected. Both x86 and ARM systems are vulnerable. While all guest kinds can cause a Denial of Service, only x86 PV guests may be able to leverage the possible information leaks. MITIGATION ========== There is no known mitigation. External References: http://xenbits.xen.org/xsa/advisory-221.html Acknowledgements: Name: the Xen project Upstream: Ankur Arora (Oracle)
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1463231]