Vigil@nce - Xen: unreachable memory reading via evtchn_fifo_set_pending
September 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force a read at an invalid address in the
evtchn_fifo_set_pending() function of Xen, in order to trigger a
denial of service.
Impacted products: Unix (platform)
Severity: 1/4
Creation date: 09/09/2014
DESCRIPTION OF THE VULNERABILITY
The Xen product manages FIFO-based event channels.
However, when a VCPU control block is manipulated, the
evtchn_fifo_set_pending() function tries to read a memory area
which is not reachable, which triggers a fatal error.
An attacker can therefore force a read at an invalid address in
the evtchn_fifo_set_pending() function of Xen, in order to trigger
a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-unreachable-memory-reading-via-evtchn-fifo-set-pending-15309