CVE-2012-4538
Unhooking empty PAE entries DoS vulnerability
The HVMOP_pagetable_dying hypercall does not correctly check the caller’s pagetable state, leading to a hypervisor crash.
lack of check (caller’s pagetable state)
http://xenbits.xen.org/hg/xen-4.2-testing.hg/rev/159080b58dda
xen/mm/shadow: check toplevel pagetables are present before unhooking them.
If the guest has not fully populated its top-level PAE entries when it calls HVMOP_pagetable_dying, the shadow code could try to unhook entries from MFN 0. Add a check to avoid that case.
--- a/xen/arch/x86/mm/shadow/multi.c Wed Nov 14 11:36:57 2012 +0000
+++ b/xen/arch/x86/mm/shadow/multi. Wed Nov 14 11:42:45 2012 +0000
@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc
unsigned long gfn;
mfn_t smfn, gmfn;
- if ( fast_path )
- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
+ if ( fast_path ) {
+ if ( pagetable_is_null(v->arch.shadow_table[i]) )
+ smfn = _mfn(INVALID_MFN);
+ else
+ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
+ }
else
{
/* retrieving the l2s */An HVM guest running on shadow pagetables (that is, not HAP) can cause the hypervisor to crash.
DoS