Vigil@nce - Xen: denial of service via PIRQ
November 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker, who is administrator in a guest system, can use
an invalid PIRQ range, in order to force Xen to read at an invalid
memory address, which stops it.
– Impacted products: XenServer, SUSE Linux Enterprise Desktop, SLES,
Unix (platform)
– Severity: 1/4
– Creation date: 13/11/2012
DESCRIPTION OF THE VULNERABILITY
A PIRQ is an interrupt feature used by PCI devices.
However, the domain_pirq_to_emuirq() function of Xen does not
check if the PIRQ range given by the user is valid. It then tries
to read at an invalid memory address.
A local attacker, who is administrator in a guest system, can
therefore use an invalid PIRQ range, in order to force Xen to read
at an invalid memory address, which stops it.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-denial-of-service-via-PIRQ-12135