Vigil@nce - Xen: NULL pointer dereference via HVMOP_inject_msi
June 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker in a HVM guest system can dereference a NULL pointer
in HVMOP_inject_msi of Xen, in order to trigger a denial of
service of the host system.
Impacted products: Unix (platform)
Severity: 1/4
Creation date: 03/06/2014
DESCRIPTION OF THE VULNERABILITY
The Xen product uses the HVMOP_inject_msi hypercall to manipulate
IRQs.
However, this function does not check if a pointer is NULL, before
using it.
An attacker in a HVM guest system can therefore dereference a NULL
pointer in HVMOP_inject_msi of Xen, in order to trigger a denial
of service of the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-NULL-pointer-dereference-via-HVMOP-inject-msi-14835