CVE-2012-4539
Grant table hypercall infinite loop DoS vulnerability
Due to inappropriate duplicate use of the same loop control variable, passing bad arguments to GNTTABOP_get_status_frames can cause an infinite loop in the compat hypercall handler.
logic error (duplicate loop control variable)
http://xenbits.xen.org/hg/xen-4.2-testing.hg/rev/8ca6372315f8
compat/gnttab: Prevent infinite loop in compat code
this introduces Grant Table version 2 hypercalls introduces a vulnerability whereby the compat hypercall handler can fall into an infinite loop.
If the watchdog is enabled, Xen will die after the timeout.
--- a/xen/common/compat/grant_table.c Wed Nov 14 11:42:45 2012 +0000
+++ b/xen/common/compat/grant_table.c Wed Nov 14 11:46:07 2012 +0000
@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c
#undef XLAT_gnttab_get_status_frames_HNDL_frame_list
if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
rc = -EFAULT;
+ else
+ i = 1;
}
break;
}A malicious guest administrator can trigger the bug. If the Xen watchdog is enabled, the whole system will crash. Otherwise the guest can cause the system to become completely unresponsive.
DoS