CVE-2011-2901
Xen <= 3.3 DoS due to incorrect virtual address validation
The x86_64 __addr_ok() macro intends to ensure that the checked address is either in the positive half of the 48-bit virtual address space, or above the Xen-reserved area. However, the current shift count is off-by-one, allowing full access to the
negative halftoo, via certain hypercalls which ignore virtual-address bits [63:48]. Vulnerable hypercalls exist only in very old versions of the hypervisor.
lack of check (off-by-one)
http://xenbits.xen.org/hg/xen-unstable.hg/rev/72edc40e2942
x86-64: Fix off-by-one error in __addr_ok() macro
--- a/xen/include/asm-x86/x86_64/uaccess.h Tue Aug 30 11:46:58 2011 +0100
+++ b/xen/include/asm-x86/x86_64/uaccess.h Wed Aug 31 15:14:49 2011 +0100
@@ -34,7 +34,7 @@ extern void *xlat_malloc(unsigned long *
* non-canonical address (and thus fault) before ever reaching VIRT_START.
*/
#define __addr_ok(addr) \
- (((unsigned long)(addr) < (1UL<<48)) || \
+ (((unsigned long)(addr) < (1UL<<47)) || \
((unsigned long)(addr) >= HYPERVISOR_VIRT_END))
#define access_ok(addr, size) \A malicious guest administrator on a vulnerable system is able to crash the host.
DoS