XSA-32

CVE-2012-5525

问题描述

http://xenbits.xen.org/xsa/advisory-32.html

several hypercalls do not validate input GFNs

The function get_page_from_gfn does not validate its input GFN. An invalid GFN passed to a hypercall which uses this function will cause the hypervisor to read off the end of the frame table and potentially crash.

lack of check (input GFN)

Patch描述

http://xenbits.xen.org/xsa/xsa32-4.2.patch

x86: get_page_from_gfn() must return NULL for invalid GFNs

--- a/xen/include/asm-x86/p2m.h
+++ b/xen/include/asm-x86/p2m.h
@@ -400,7 +400,7 @@ static inline struct page_info *get_page_from_gfn(
     if (t)
         *t = p2m_ram_rw;
     page = __mfn_to_page(gfn);
-    return get_page(page, d) ? page : NULL;
+    return mfn_valid(gfn) && get_page(page, d) ? page : NULL;
 }

Consequence

A malicious guest administrator of a PV guest can cause Xen to crash.

DoS