CVE-2017-8905 - Incorrect Calculation

Severity

68%

Complexity

31%

Confidentiality

165%

Xen through 4.6.x on 64-bit platforms mishandles a failsafe callback, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-215.

Xen through 4.6.x on 64-bit platforms mishandles a failsafe callback, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-215.

CVSS 3.0 Base Score 8.8. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

CVSS 2.0 Base Score 6.8. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:S/C:C/I:C/A:C).

Demo Examples

Incorrect Calculation

CWE-682

The following image processing code allocates a table for images.


               
...

This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119).

Incorrect Calculation

CWE-682

This code attempts to calculate a football team's average number of yards gained per touchdown.


               
...

The code does not consider the event that the team they are querying has not scored a touchdown, but has gained yardage. In that case, we should expect an ArithmeticException to be thrown by the JVM. This could lead to a loss of availability if our error handling code is not set up correctly.

Incorrect Calculation

CWE-682

This example attempts to calculate the position of the second byte of a pointer.


               
char * second_char = (char *)(p + 1);

In this example, second_char is intended to point to the second byte of p. But, adding 1 to p actually adds sizeof(int) to p, giving a result that is incorrect (3 bytes off on 32-bit platforms). If the resulting memory address is read, this could potentially be an information leak. If it is a write, it could be a security-critical write to unauthorized memory-- whether or not it is a buffer overflow. Note that the above code may also be wrong in other ways, particularly in a little endian environment.

Overview

Type

Xen

First reported 7 years ago

2017-05-11 19:29:00

Last updated 5 years ago

2019-10-03 00:03:00

Affected Software

Xen Xen 4.6.0

4.6.0

Xen Xen 4.6.1

4.6.1

Xen 4.6.2

4.6.2

Xen 4.6.3

4.6.3

Xen 4.6.4

4.6.4

Xen 4.6.5

4.6.5

References

98436

1038388

https://blog.xenproject.org/2017/05/02/updates-on-xsa-213-xsa-214-and-xsa-215/

Vendor Advisory

GLSA-201705-11

https://xenbits.xen.org/xsa/advisory-215.html

Mitigation, Patch, Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.