CVE-2017-14316
https://notcve.org/view.php?id=CVE-2017-14316
A parameter verification issue was discovered in Xen through 4.9.x. The function `alloc_heap_pages` allows callers to specify the first NUMA node that should be used for allocations through the `memflags` parameter; the node is extracted using the `MEMF_get_node` macro. While the function checks to see if the special constant `NUMA_NO_NODE` is specified, it otherwise does not handle the case where `node >= MAX_NUMNODES`. This allows an out-of-bounds access to an internal array. Existe un problema de verificación de parámetros en Xen hasta la versión 4.9.x. • http://www.securityfocus.com/bid/100818 http://www.securitytracker.com/id/1039348 http://xenbits.xen.org/xsa/advisory-231.html https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html https://support.citrix.com/article/CTX227185 https://www.debian.org/security/2017/dsa-4050 • CWE-125: Out-of-bounds Read •
CVE-2017-12136
https://notcve.org/view.php?id=CVE-2017-12136
Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling. Una condición de carrera en el código de tabla de concesiones en Xen 4.6.x a 4.9.x permite que administradores invitados locales del sistema operativo provoquen una denegación de servicio (corrupción de lista libre y bloqueo del host) o que obtengan beneficios en el host mediante vectores que impliquen la gestión de lista libre de maptrack. • http://www.debian.org/security/2017/dsa-3969 http://www.openwall.com/lists/oss-security/2017/08/15/3 http://www.securityfocus.com/bid/100346 http://www.securitytracker.com/id/1039175 http://xenbits.xen.org/xsa/advisory-228.html https://bugzilla.redhat.com/show_bug.cgi?id=1477651 https://security.gentoo.org/glsa/201801-14 https://support.citrix.com/article/CTX225941 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2017-12855
https://notcve.org/view.php?id=CVE-2017-12855
Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. Under some circumstances, Xen will clear the status bits too early, incorrectly informing the guest that the grant is no longer in use. A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant. Xen 4.9, 4.8, 4.7, 4.6, and 4.5 are affected. • http://www.debian.org/security/2017/dsa-3969 http://www.securityfocus.com/bid/100341 http://www.securitytracker.com/id/1039177 http://xenbits.xen.org/xsa/advisory-230.html https://support.citrix.com/article/CTX225941 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •