Vigil@nce - Xen: invalid pointer dereference via HVMOP_track_dirty_vram
September 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force an invalid pointer to be dereferenced in
HVMOP_track_dirty_vram of Xen, in order to trigger a denial of
service.
– Impacted products: Unix (platform)
– Severity: 1/4
– Creation date: 23/09/2014
DESCRIPTION OF THE VULNERABILITY
Hypercalls are called from a guest system, in order to provide a
feature equivalent to a system call on the host system.
However, the HVMOP_track_dirty_vram hypercall does not lock the
access to a pointer, before using it.
An attacker can therefore force an invalid pointer to be
dereferenced in HVMOP_track_dirty_vram of Xen, in order to trigger
a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-invalid-pointer-dereference-via-HVMOP-track-dirty-vram-15390