FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

xen-kernel -- vulnerability in the iret hypercall handler

Affected packages
3.1 <= xen-kernel < 4.5.0_3

Details

VuXML ID 8c31b288-27ec-11e5-a4a5-002590263bf5
Discovery 2015-06-11
Entry 2015-07-11

The Xen Project reports:

A buggy loop in Xen's compat_iret() function iterates the wrong way around a 32-bit index. Any 32-bit PV guest kernel can trigger this vulnerability by attempting a hypercall_iret with EFLAGS.VM set.

Given the use of __get/put_user(), and that the virtual addresses in question are contained within the lower canonical half, the guest cannot clobber any hypervisor data. Instead, Xen will take up to 2^33 pagefaults, in sequence, effectively hanging the host.

Malicious guest administrators can cause a denial of service affecting the whole system.

References

CVE Name CVE-2015-4164
URL http://xenbits.xen.org/xsa/advisory-136.html