CVE-2012-5513
http://xenbits.xen.org/xsa/advisory-29.html
XENMEM_exchange may overwrite hypervisor memory
The handler for XENMEM_exchange accesses guest memory without range checking the guest provided addresses, thus allowing these accesses to include the hypervisor reserved range.
lack of check (range check)
http://xenbits.xen.org/xsa/xsa29-4.1.patch
xen: add missing guest address range checks to XENMEM_exchange handlers
--- a/xen/common/compat/memory.c
+++ b/xen/common/compat/memory.c
@@ -114,6 +114,12 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE(void) compat)
(cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) )
return -EINVAL;
+ if ( !compat_handle_okay(cmp.xchg.in.extent_start,
+ cmp.xchg.in.nr_extents) ||
+ !compat_handle_okay(cmp.xchg.out.extent_start,
+ cmp.xchg.out.nr_extents) )
+ return -EFAULT;
+
start_extent = cmp.xchg.nr_exchanged;
end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) /
(((1U << ABS(order_delta)) + 1) *
diff --git a/xen/common/memory.c b/xen/common/memory.c
index 4e7c234..59379d3 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -289,6 +289,13 @@ static long memory_exchange(XEN_GUEST_HANDLE(xen_memory_exchange_t) arg)
goto fail_early;
}
+ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
+ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
+ {
+ rc = -EFAULT;
+ goto fail_early;
+ }
+
/* Only privileged guests can allocate multi-page contiguous extents. */
if ( !multipage_allocation_permitted(current->domain,
exch.in.extent_order) ||A malicious guest administrator can cause Xen to crash. If the out of address space bounds access does not lead to a crash, a carefully crafted privilege escalation cannot be excluded, even though the guest doesn’t itself control the values written.
DoS