CVE-2012-3494
hypercall set_debugreg vulnerability
set_debugreg allows writes to reserved bits of the DR7 debug control register on x86-64.
privilege uncheck (invalid write)
http://xenbits.xen.org/hg/xen-4.1-testing.hg/rev/bcc340292731
xen: prevent a 64 bit guest setting reserved bits in DR7
The upper 32 bits of this register are reserved and should be written as zero.
--- a/xen/include/asm-x86/debugreg.h Tue Sep 04 14:56:48 2012 +0200
+++ b/xen/include/asm-x86/debugreg.h Wed Sep 05 12:27:54 2012 +0100
@@ -58,7 +58,7 @@
We can slow the instruction pipeline for instructions coming via the
gdt or the ldt if we want to. I am not sure why this is an advantage */
-#define DR_CONTROL_RESERVED_ZERO (0x0000d800ul) /* Reserved, read as zero */
+#define DR_CONTROL_RESERVED_ZERO (~0xffff27fful) /* Reserved, read as zero */
#define DR_CONTROL_RESERVED_ONE (0x00000400ul) /* Reserved, read as one */
#define DR_LOCAL_EXACT_ENABLE (0x00000100ul) /* Local exact enable */
#define DR_GLOBAL_EXACT_ENABLE (0x00000200ul) /* Global exact enable */A malicious guest can cause the host to crash, leading to a DoS.
DoS