CVE-2014-5148
http://xenbits.xen.org/xsa/advisory-103.html
Flaw in handling unknown system register access from 64-bit userspace on ARM
When handling an unknown system register access from 64-bit userspace Xen would incorrectly return to the second instruction of the trap handler for faults in kernel space rather than the first instruction of the trap handler for faults in 64-bit userspace.
Any user in a guest which is running a 64-bit kernel who is able to spawn a 64-bit process can cause a trap to the kernel to be taken at an unexpected (but not user controlled) exception address.
Known versions of Linux in the default configuration will Oops and kill the offending process, and therefore avoid this vulnerability. However local configuration may turn such an Oops into a kernel panic, and therefore a guest denial of service.
当64-bit用户进程访问一个unknown system register的时候,xen会错误地返回trap handler的第二条指令(而非第一条指令)。这可能会造成kernel运行一个错误的指令,造成guest DoS
logic error (missing return)
http://xenbits.xen.org/xsa/xsa103-4.4.patch
The do_sysreg case was missing a return, so it would increment PC and inject the trap to the second instruction of the handler.
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -1683,6 +1683,7 @@ static void do_sysreg(struct cpu_user_regs *regs,
hsr.bits & HSR_SYSREG_REGS_MASK);
#endif
inject_undef_exception(regs, sysreg.len);
+ return;
}
}原来没有return,所以会使得PC增加,造成错误,patch仅仅是加了一个return语句罢了。。。
Depending on the guest kernel implementation, kernel crash (guest DoS) or privilege elevation to that of the guest kernel cannot be ruled out.
guest DoS, privilege escalation