An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "xen-hypervisor-4.6-armhf": "4.9.2-0ubuntu1", "libxenstore3.0": "4.9.2-0ubuntu1", "xenstore-utils-dbgsym": "4.9.2-0ubuntu1", "libxenstore3.0-dbgsym": "4.9.2-0ubuntu1", "xen-hypervisor-4.8-amd64": "4.9.2-0ubuntu1", "xen-hypervisor-4.9-amd64": "4.9.2-0ubuntu1", "xen-hypervisor-4.8-armhf": "4.9.2-0ubuntu1", "xen-utils-4.9-dbgsym": "4.9.2-0ubuntu1", "xen-hypervisor-4.7-arm64": "4.9.2-0ubuntu1", "libxen-dev": "4.9.2-0ubuntu1", "xen-hypervisor-4.9-armhf": "4.9.2-0ubuntu1", "xen-utils-4.9": "4.9.2-0ubuntu1", "libxen-4.9": "4.9.2-0ubuntu1", "libxen-4.9-dbgsym": "4.9.2-0ubuntu1", "xenstore-utils": "4.9.2-0ubuntu1", "xen-hypervisor-4.9-arm64": "4.9.2-0ubuntu1", "xen-system-amd64": "4.9.2-0ubuntu1", "xen-system-armhf": "4.9.2-0ubuntu1", "xen-hypervisor-4.6-arm64": "4.9.2-0ubuntu1", "xen-utils-common": "4.9.2-0ubuntu1", "xen-hypervisor-4.6-amd64": "4.9.2-0ubuntu1", "xen-hypervisor-4.7-amd64": "4.9.2-0ubuntu1", "xen-hypervisor-4.8-arm64": "4.9.2-0ubuntu1", "xen-hypervisor-4.7-armhf": "4.9.2-0ubuntu1", "xen-system-arm64": "4.9.2-0ubuntu1" } ] }