input handling vulnerabilities loading guest kernel on ARM

ISSUE DESCRIPTION

When loading a 32-bit ARM guest kernel the Xen tools did not correctly validate the length of the kernel against the actual image size. This would then lead to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3714).
Furthermore when checking a 32-bit guest kernel for an appended DTB, the Xen tools were prone to additional overruns also leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3715). Also, the tools would access a field in the putative DTB header without checking for its alignment (CVE-2014-3716).
When loading a 64-bit ARM guest kernel the tools similarly did not fully validate the requested load addresses, possibly leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3717).

IMPACT

An attacker who can control the kernel used to boot a guest can exploit these issues.
Exploiting the overflow issues allows information which follows the guest kernel in the toolstack address space to be copied into the guest’s memory, constituting an information leak.
Alternatively either the overflow or alignment issues could be used to crash the toolstack process, leading to a denial of service.

VULNERABLE SYSTEMS

ARM systems are vulnerable from Xen 4.4 onwards.