Vigil@nce - Xen: denial of service via FLASK_AVC_CACHESTAT
February 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker in a guest system can use the FLASK_AVC_CACHESTAT
hypercall of Xen, in order to trigger a denial of service.
Impacted products: Unix (platform)
Severity: 1/4
Creation date: 06/02/2014
DESCRIPTION OF THE VULNERABILITY
The Xen product can be compiled with the support of XSM (Xen
Security Module). The FLASK (Flux Advanced Security Kernel) module
implements a Mandatory Access Control.
The FLASK_AVC_CACHESTAT hypercall obtains statistics per CPU about
the FLASK policy. However, on a system where the number of
physical processors is max_phys_cpus, the flask_security_avc_cachestats()
function tries to read after the end of an array.
An attacker in a guest system can therefore use the
FLASK_AVC_CACHESTAT hypercall of Xen, in order to trigger a denial
of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-denial-of-service-via-FLASK-AVC-CACHESTAT-14184