CVE-2013-0152
http://xenbits.xen.org/xsa/advisory-35.html
Nested HVM exposes host to being driven out of memory by guest
Guests are currently permitted to enable nested virtualization on themselves. Missing error handling cleanup in the handling code makes it possible for a guest, particularly a multi-vCPU one, to repeatedly invoke this operation, thus causing a leak of - over time - unbounded amounts of memory.
improper error handling (not cleanup)
http://xenbits.xen.org/xsa/xsa35.patch
xen: Do not allow guests to enable nested HVM on themselves
There is no reason for this and doing so exposes a memory leak to guests. Only toolstacks need write access to this HVM param.
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3871,6 +3871,11 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
rc = -EINVAL;
break;
case HVM_PARAM_NESTEDHVM:
+ if ( !IS_PRIV(current->domain) )
+ {
+ rc = -EPERM;
+ break;
+ }
if ( a.value > 1 )
rc = -EINVAL;
if ( !is_hvm_domain(d) )禁止guest自己开启nested HVM。
A malicious domain can mount a denial of service attack affecting the whole system.
DoS