XSA-141

CVE-2015-6654

问题描述

http://xenbits.xen.org/xsa/advisory-141.html

printk is not rate-limited in xenmemaddtophysmapone

XENMAPSPACE_gmfn_foreign dumps the p2m, on ARM, when it fails to get a reference on the foreign page. However, dump_p2m_lookup does not use rate-limited printk.

A malicious infrastructure domain, which is allowed to map memory of a foreign guest, would be able to flood the Xen console.

logic error

Patch描述

http://xenbits.xen.org/xsa/xsa141.patch

xen/arm: mm: Do not dump the p2m when mapping a foreign gfn

The information wasn’t not useful so drop it.

diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c
index ae0f34c..d00d526 100644
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -1114,7 +1114,6 @@ int xenmem_add_to_physmap_one(
         page = get_page_from_gfn(od, idx, &p2mt, P2M_ALLOC);
         if ( !page )
         {
-            dump_p2m_lookup(od, pfn_to_paddr(idx));
             rcu_unlock_domain(od);
             return -EINVAL;
         }

Consequence

Domains deliberately given partial management control may be able to deny service to other parts of the system.

DoS