XSA-37

CVE-2013-0154

问题描述

http://xenbits.xen.org/xsa/advisory-37.html

Hypervisor crash due to incorrect ASSERT (debug build only)

A change to an internal interface within the hypervisor invalidated an ASSERT in a caller of that API. This code path is exposed to PV guests via a hypercall allowing administrators of PV guests to crash the hypervisor if it is built with debugging enabled.

false assertion

Patch描述

http://xenbits.xen.org/xsa/xsa37-4.2.patch

x86: fix assertion in getpagetype()

made it possible that __get_page_type() returns other than -EINVAL, in particular -EBUSY. Consequently, the assertion in get_page_type() should check for only the return values we absolutely don’t expect to see there.

--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -2586,7 +2586,7 @@ int get_page_type(struct page_info *page
     int rc = __get_page_type(page, type, 0);
     if ( likely(rc == 0) )
         return 1;
-    ASSERT(rc == -EINVAL);
+    ASSERT(rc != -EINTR && rc != -EAGAIN);
     return 0;
 }

Consequence

Malicious administrators of PV guests running on hypervisors built with the non-default debug=y option can crash the host.

DoS