XSA-31

CVE-2012-5515

问题描述

http://xenbits.xen.org/xsa/advisory-31.html

Several memory hypercall operations allow invalid extent order values

Allowing arbitrary extent_order input values for XENMEM_decrease_reservation, XENMEM_populate_physmap, and XENMEM_exchange can cause arbitrarily long time being spent in loops without allowing vital other code to get a chance to execute. This may also cause inconsistent state resulting at the completion of these hypercalls.

lack of check (invalid extent order)

Patch描述

http://xenbits.xen.org/xsa/xsa31-4.1.patch

memop: limit guest specified extent order

Allowing unbounded order values here causes almost unbounded loops and/or partially incomplete requests, particularly in PoD code.

The added range checks in populate_physmap(), decrease_reservation(), and the in one in memory_exchange() architecturally all could use PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to MAX_ORDER.

--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -117,7 +117,8 @@ static void populate_physmap(struct memop_args *a)
 
         if ( a->memflags & MEMF_populate_on_demand )
         {
-            if ( guest_physmap_mark_populate_on_demand(d, gpfn,
+            if ( a->extent_order > MAX_ORDER ||
+                 guest_physmap_mark_populate_on_demand(d, gpfn,
                                                        a->extent_order) < 0 )
                 goto out;
         }
@@ -216,7 +217,8 @@ static void decrease_reservation(struct memop_args *a)
     xen_pfn_t gmfn;
 
     if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done,
-                                     a->nr_extents-1) )
+                                     a->nr_extents-1) ||
+         a->extent_order > MAX_ORDER )
         return;
 
     for ( i = a->nr_done; i < a->nr_extents; i++ )
@@ -278,6 +280,9 @@ static long memory_exchange(XEN_GUEST_HANDLE(xen_memory_exchange_t) arg)
     if ( (exch.nr_exchanged > exch.in.nr_extents) ||
          /* Input and output domain identifiers match? */
          (exch.in.domid != exch.out.domid) ||
+         /* Extent orders are sensible? */
+         (exch.in.extent_order > MAX_ORDER) ||
+         (exch.out.extent_order > MAX_ORDER) ||
          /* Sizes of input and output lists do not overflow a long? */
          ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) ||
          ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) ||

Consequence

A malicious guest administrator can cause Xen to hang.

DoS