Vigil@nce - Xen: buffer overflow of MSI-X
January 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is administrator in a guest system, can generate
a buffer overflow in MSI-X of Xen, in order to trigger a denial of
service, and possibly to run code on the host system.
Impacted products: XenServer, Fedora, Xen.
Severity: 1/4.
Creation date: 17/12/2015.
DESCRIPTION OF THE VULNERABILITY
The Xen product can be configured with "qemu-xen-traditional"
(qemu-dm).
However, if the size of MSI-X data is greater than the size of the
storage array, an overflow occurs.
An attacker, who is administrator in a guest system, can therefore
generate a buffer overflow in MSI-X of Xen, in order to trigger a
denial of service, and possibly to run code on the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-buffer-overflow-of-MSI-X-18553