CVE-2014-8594
http://xenbits.xen.org/xsa/advisory-109.html
Insufficient restrictions on certain MMU update hypercalls
MMU update operations targeting page tables are intended to be used on PV guests only. The lack of a respective check made it possible for such operations to access certain function pointers which remain NULL when the target guest is using Hardware Assisted Paging (HAP).
lack of check (NULL pointer)
http://xenbits.xen.org/xsa/xsa109.patch
x86: don’t allow page table updates on non-PV page tables in do_mmu_update()
paging_write_guest_entry() and paging_cmpxchg_guest_entry() aren’t consistently supported for non-PV guests (they’d deref NULL for PVH or non-HAP HVM ones). Don’t allow respective MMU_* operations on the page tables of such domains.
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -3493,6 +3493,10 @@ long do_mmu_update(
{
p2m_type_t p2mt;
+ rc = -EOPNOTSUPP;
+ if ( unlikely(paging_mode_refcounts(pt_owner)) )
+ break;
+
xsm_needed |= XSM_MMU_NORMAL_UPDATE;
if ( get_pte_flags(req.val) & _PAGE_PRESENT )
{Add some checks.
Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service or privilege escalation attack which, if successful, can affect the whole system.
DoS