Vigil@nce - Xen: NULL pointer dereference via the permission table
June 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force a NULL pointer to be dereferenced in Xen by
using a wrong permission table, in order to trigger a denial of
service.
Impacted products: XenServer, Debian, Fedora, openSUSE, SUSE Linux
Enterprise Desktop, SLES, Xen
Severity: 1/4
Creation date: 12/06/2015
DESCRIPTION OF THE VULNERABILITY
The use of some functions of Xen is controlled by a permission
table.
When a guest system calls a so protected function, the function
must control the version of the used table. However, this check is
not done for the function GNTTABOP_swap_grant_ref. When the table
is not defined or defined with a version other than 2, this
function may dereference a NULL pointer, which leads to an error
fatal to the whole host.
An attacker who controls the guest kernel can therefore force a
NULL pointer to be dereferenced in Xen by using a wrong permission
table, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-NULL-pointer-dereference-via-the-permission-table-17116