XSA-25

CVE-2012-4544 CVE-2012-2625


问题描述

xsa25

Xen domain builder Out-of-memory due to malicious kernel/ramdisk

The Xen PV domain builder contained no validation of the size of the supplied kernel or ramdisk either before or after decompression. This could cause the toolstack to consume all available RAM in the domain running the domain builder. (CVE-2012-4544)

Additionally, under similar circumstances pygrub consume excessive amount of memory under similar circumstances to the above. (CVE-2012-2625)

lack of check (size of image)


Patch描述

http://xenbits.xen.org/hg/xen-4.2-testing.hg/rev/60f09d1ab1fe

http://xenbits.xen.org/hg/xen-4.2-testing.hg/rev/537776f51f79

libxc: builder: limit maximum size of kernel/ramdisk.

Allowing user supplied kernels of arbitrary sizes, especially during decompression, can swallow up dom0 memory leading to either virtual address space exhaustion in the builder process or allocation failures/OOM killing of both toolstack and unrelated processes.

We disable these checks when building in a stub domain for pvgrub since this uses the guest’s own memory and is isolated.


Consequence

A malicious guest administrator who can supply a kernel or ramdisk can exhaust memory in domain 0 leading to a denial of service attack.

DoS