CVE-2011-1898 – virt: VT-d (PCI passthrough) MSI trap injection
https://notcve.org/view.php?id=CVE-2011-1898
Xen 4.1 before 4.1.1 and 4.0 before 4.0.2, when using PCI passthrough on Intel VT-d chipsets that do not have interrupt remapping, allows guest OS users to gain host OS privileges by "using DMA to generate MSI interrupts by writing to the interrupt injection registers." Xen v4.1 anterior a v4.1.1 y v4.0 anterior a v4.0.2, cuando usa PCI passthrough sobre chipsets Intel VT-d que no tienen que interrumplir remapeado, permite a usuarios invitados del OS obtener privilegios de anfitrión "usando DMA para generar interrupciones MSI escribiendo en el registro de inyección de interrupció"n. • http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062112.html http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062139.html http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00017.html http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00018.html http://theinvisiblethings.blogspot.com/2011/05/following-white-rabbit-software-attacks.html http://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf http://xen.1045712.n5.na • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •
CVE-2011-1583 – xen: insufficiencies in pv kernel image validation
https://notcve.org/view.php?id=CVE-2011-1583
Multiple integer overflows in tools/libxc/xc_dom_bzimageloader.c in Xen 3.2, 3.3, 4.0, and 4.1 allow local users to cause a denial of service and possibly execute arbitrary code via a crafted paravirtualised guest kernel image that triggers (1) a buffer overflow during a decompression loop or (2) an out-of-bounds read in the loader involving unspecified length fields. Múltiples desbordamientos de entero en tools/libxc/xc_dom_bzimageloader.c en Xen v3.2, v3.3, v4.0, y v4.1 permite a usuarios locales provocar una denegación de servicio y posiblemente ejecutar código de su elección a través de invitados "paravirtualizados" manipulados en la imagen del kernel que dispara (1) un desbordamiento de búfer durante la descompresión de bucle o (2) una lectura fuera de límites en el cargador envolviendo un campo de longitud no especificada. • http://lists.xensource.com/archives/html/xen-devel/2011-05/msg00483.html http://lists.xensource.com/archives/html/xen-devel/2011-05/msg00491.html http://rhn.redhat.com/errata/RHSA-2011-0496.html https://access.redhat.com/security/cve/CVE-2011-1583 https://bugzilla.redhat.com/show_bug.cgi?id=696927 • CWE-189: Numeric Errors •
CVE-2011-1166 – kernel: xen: x86_64: fix error checking in arch_set_info_guest()
https://notcve.org/view.php?id=CVE-2011-1166
Xen, possibly before 4.0.2, allows local 64-bit PV guests to cause a denial of service (host crash) by specifying user mode execution without user-mode pagetables. Xen, probablemente anterior a v4.0.2 permite a invitados locales de 64-bit PV provocar una denegación de servicio (caída del host) especificando la ejecución en modo usuario sin las tablas de página. • http://downloads.avaya.com/css/P8/documents/100145416 http://rhn.redhat.com/errata/RHSA-2011-0833.html http://wiki.xen.org/wiki/Security_Announcements#XSA-1_Host_crash_due_to_failure_to_correctly_validate_PV_kernel_execution_state. https://access.redhat.com/security/cve/CVE-2011-1166 https://bugzilla.redhat.com/show_bug.cgi?id=688579 • CWE-20: Improper Input Validation •
CVE-2010-4255 – xen: 64-bit PV xen guest can crash host by accessing hypervisor per-domain memory area
https://notcve.org/view.php?id=CVE-2010-4255
The fixup_page_fault function in arch/x86/traps.c in Xen 4.0.1 and earlier on 64-bit platforms, when paravirtualization is enabled, does not verify that kernel mode is used to call the handle_gdt_ldt_mapping_fault function, which allows guest OS users to cause a denial of service (host OS BUG_ON) via a crafted memory access. La función fixup_page_fault en arch/x86/traps.c en Xen v.4.0.1 y anteriores sobre plataformas 64-bit, cuando se activa la paravirtualización, no verifica que el modo kernel está usado para llamar a la función handle_gdt_ldt_mapping_fault, lo que permite a los usuarios invitados del sistema operativo provocar una denegación de servicio (host OS BUG_ON) a través de un acceso de memoria manipulado. • http://lists.xensource.com/archives/html/xen-devel/2010-11/msg01650.html http://openwall.com/lists/oss-security/2010/11/30/5 http://openwall.com/lists/oss-security/2010/11/30/8 http://secunia.com/advisories/42884 http://secunia.com/advisories/46397 http://www.redhat.com/support/errata/RHSA-2011-0017.html http://www.securityfocus.com/archive/1/520102/100/0/threaded http://www.vmware.com/security/advisories/VMSA-2011-0012.html https://bugzilla.redhat.com/show_bug •