CVE-2012-3516
grant table entry swaps have inadequate bounds checking
The grant table hypercall’s GNTTABOP_swap_grant_ref sub-operation does not perform adequate checks on the input grant references.
lack of check (bound check)
http://xenbits.xen.org/hg/xen-unstable.hg/rev/93e5a791d076
xen/gnttab: Validate input to GNTTABOP_swap_grant_ref
this introduces a new GNTTABOP to swap grant refs. However, it fails to validate the two refs passed from the guest.
The result is that passing out-of-range refs can cause Xen to read past the end of the grant_table->active[] array, and deference whatever it finds. Typically, this results in Xen trying to deference a low pointer and fail with a page-fault.
--- a/xen/common/grant_table.c Wed Sep 05 12:29:52 2012 +0100
+++ b/xen/common/grant_table.c Wed Sep 05 12:30:26 2012 +0100
@@ -2339,6 +2339,12 @@ __gnttab_swap_grant_ref(grant_ref_t ref_
spin_lock(>->lock);
+ /* Bounds check on the grant refs */
+ if ( unlikely(ref_a >= nr_grant_entries(d->grant_table)))
+ PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-a (%d).\n", ref_a);
+ if ( unlikely(ref_b >= nr_grant_entries(d->grant_table)))
+ PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-b (%d).\n", ref_b);
+
act = &active_entry(gt, ref_a);
if ( act->pin )
PIN_FAIL(out, GNTST_eagain, "ref a %ld busy\n", (long)ref_a);A malicious guest kernel or administrator can crash the host.
It may be possible for an attacker to swap a valid grant reference, which they control, with an invalid one allowing them to write abitrary values to hypervisor memory. This could potentially lead to a privilege escalation.
DoS, privilege escalation