CVE-2011-1583
paravirtualised kernel image validation
The functions which interpret the kernel image supplied for a paravirtualised guest, and decompress it into memory when booting the domain, are incautious. Specifically:
- Integer overflow in the decompression loop memory allocator might result in overrunning the buffer used for the decompressed image;
- Integer overflows and lack of checking of certain length fields can result in the loader reading its own address space beyond the size of the supplied kernel image file.
- Lack of error checking in the decompression loop can lead to an infinite loop.
integer overflow, lack of check (error check)
http://xenbits.xen.org/hg/xen-4.1-testing.hg/rev/e2e575f8b5d9
libxc: [CVE-2011-1583] pv kernel image validation
The functions which interpret the kernel image supplied for a paravirtualised guest, and decompress it into memory when booting the domain, are incautious. Specifically:
- Integer overflow in the decompression loop memory allocator might result in overrunning the buffer used for the decompressed image;
- Integer overflows and lack of checking of certain length fields can result in the loader reading its own address space beyond the size of the supplied kernel image file.
- Lack of error checking in the decompression loop can lead to an infinite loop.
An attacker who can supply a kernel image to be booted as a paravirtualised guest might be able to:
- Escalate privilege, taking control of the management domain and hence the entire machine.
- Gain knowledge the contents of memory in the management tools. Depending on the toolstack in use this might contain sensitive information such as domain management or VNC passwords.
- Cause an infinite loop in the management software, resulting in denial of service (and excessive resource consumption by the management domain).
privilege escalation, information leak, DoS