CVE-2014-8867
http://xenbits.xen.org/xsa/advisory-112.html
Insufficient bounding of REP MOVS
to MMIO emulated inside the hypervisor
Acceleration support for the
REP MOVSinstruction, when the first iteration accesses memory mapped I/O emulated internally in the hypervisor, incorrectly assumes that the whole range accessed is handled by the same hypervisor sub-component.
对于rep movs的cross region的问题: 在hvm的x86 emulate过程中如果遇到需要模拟rep movs指令,有可能会调用到
hvm_mmio_intercept()但是在该函数中只对第一个地址做check_handler()检查,而没有对“rep movs”的其它地址进行检查,所以可能会造成错误。
对于MSI-X中空指针解引用的问题:在函数
msixtbl_read执行
entry = msixtbl_find_entry(v, address);之后没有检查其是否为空,可能导致空指针的解引用
lack of check (NULL pointer)
http://xenbits.xen.org/xsa/xsa112.patch
x86/HVM: confine internally handled MMIO to solitary regions
检查跨页的地址+检查相关地址非空
A buggy or malicious HVM guest can crash the host.
DoS