CVE-2012-3496
XENMEM_populate_physmap DoS vulnerability
XENMEM_populate_physmap can be called with invalid flags. By calling it with MEMF_populate_on_demand flag set, a BUG can be triggered if a translating paging mode is not being used.
false BUG_ON
http://xenbits.xen.org/hg/xen-4.1-testing.hg/rev/8ebda5388e4e
xen: Don’t BUG_ON() PoD operations on a non-translated guest.
--- a/xen/arch/x86/mm/p2m.c Wed Sep 05 12:28:17 2012 +0100
+++ b/xen/arch/x86/mm/p2m.c Wed Sep 05 12:29:05 2012 +0100
@@ -2414,7 +2414,8 @@ guest_physmap_mark_populate_on_demand(st
int pod_count = 0;
int rc = 0;
- BUG_ON(!paging_mode_translate(d));
+ if ( !paging_mode_translate(d) )
+ return -EINVAL;
rc = gfn_check_limit(d, gfn, order);
if ( rc != 0 )A malicious guest kernel can crash the host.
DoS