XSA-136

CVE-2015-4164

问题描述

http://xenbits.xen.org/xsa/advisory-136.html

vulnerability in the iret hypercall handler

A buggy loop in Xen’s compat_iret() function iterates the wrong way around a 32-bit index. Any 32-bit PV guest kernel can trigger this vulnerability by attempting a hypercall_iret with EFLAGS.VM set.

Given the use of __get/put_user(), and that the virtual addresses in question are contained within the lower canonical half, the guest cannot clobber any hypervisor data. Instead, Xen will take up to 2³³ pagefaults, in sequence, effectively hanging the host.

logic error (buggy loop)

Patch描述

http://xenbits.xen.org/xsa/xsa136.patch

--- a/xen/arch/x86/x86_64/compat/traps.c
+++ b/xen/arch/x86/x86_64/compat/traps.c
@@ -119,7 +119,7 @@ unsigned int compat_iret(void)
         }
         else if ( ksp > regs->_esp )
         {
-            for (i = 9; i > 0; ++i)
+            for ( i = 9; i > 0; --i )
             {
                 rc |= __get_user(x, (u32 *)regs->rsp + i);
                 rc |= __put_user(x, (u32 *)(unsigned long)ksp + i);

Consequence

Malicious guest administrators can cause a denial of service affecting the whole system.

DoS