XSA-34

CVE-2013-0151


问题描述

http://xenbits.xen.org/xsa/advisory-34.html

nested virtualization on 32-bit exposes host crash

When performing nested virtualisation Xen would incorrectly map guest pages for extended periods using an interface which is only intended for transient mappings. In some configurations there are a limited number of slots available for these transient mappings and exhausting them leads to a host crash and therefore a Denial of Service attack.

logic error (incorrect page mapping)


Patch描述

http://xenbits.xen.org/xsa/xsa34-4.2.patch

x86_32: don’t allow use of nested HVM

There are (indirect) uses of map_domain_page() in the nested HVM code that are unsafe when not just using the 1:1 mapping.

--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
                     rc = -EINVAL;
                 break;
             case HVM_PARAM_NESTEDHVM:
+#ifdef __i386__
+                if ( a.value )
+                    rc = -EINVAL;
+#else
                 if ( a.value > 1 )
                     rc = -EINVAL;
                 if ( !is_hvm_domain(d) )
@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
                     for_each_vcpu(d, v)
                         if ( rc == 0 )
                             rc = nestedhvm_vcpu_initialise(v);
+#endif
                 break;
             case HVM_PARAM_BUFIOREQ_EVTCHN:
                 rc = -EINVAL;

Consequence

A malicious guest administrator can, by enabling nested virtualisation from within the guest, trigger the issue.

Their ability to do this will depend on the number of VCPUs the domain is configured with. Domains with smaller numbers of VCPUs (e.g. less than 16) are not able to create sufficient mappings via this method to trigger the issue.

DoS