CVE-2014-5147
http://xenbits.xen.org/xsa/advisory-102.html
Flaws in handling traps from 32-bit userspace on 64-bit ARM
When handling a trap from guest mode on ARM, Xen asserts that the current guest mode must match the domain address width. This assertion is false when a guest takes a trap from a 32-bit userspace running on a 64-bit kernel in a 64-bit domain.
在Xen里面有一个false assertion:
guest mode must match the domain address width
但是如果一个32-bit的userspace process在64-bit的kernel发生了一个trap,这个assertion就不对了,造成DoS。
false assertion
http://xenbits.xen.org/xsa/xsa102-4.4-03.patch
We are not setup to handle these properly. This turns a host crash into a trap to the guest kernel which will likely result in killing the offending process.
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -1812,6 +1812,17 @@ asmlinkage void do_trap_hypervisor(struct cpu_user_regs *regs)
{
union hsr hsr = { .bits = READ_SYSREG32(ESR_EL2) };
+ /*
+ * We currently do not handle 32-bit userspace on 64-bit kernels
+ * correctly (See XSA-102). Until that is resolved we treat any
+ * trap from 32-bit userspace on 64-bit kernel as undefined.
+ */
+ if ( is_pv64_domain(current->domain) && psr_mode_is_32bit(regs->cpsr) )
+ {
+ inject_undef_exception(regs, hsr.len);
+ return;
+ }
+插入一个exception。
Any user in a guest which is running a 64-bit kernel who is able to spawn a 32-bit process can crash the host. I.e. an unprivileged guest user can cause host-wide denial of service.
DoS