XSA-40

CVE-2013-0190

问题描述

http://xenbits.xen.org/xsa/advisory-40.html

Linux stack corruption in xen_failsafe_callback for 32bit PVOPS guests

xen_failsafe_callback incorrectly sets up its stack if an iret fault is injected by the hypervisor.

logic error (wrong stack pointer)

Patch描述

http://xenbits.xen.org/xsa/xsa40.patch

There has been an error on the xenfailsafecallback path for failed iret, which causes the stack pointer to be wrong when entering the iret_exc error path. This can result in the kernel crashing.

--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)
    lea 16(%esp),%esp
    CFI_ADJUST_CFA_OFFSET -16
    jz 5f
-   addl $16,%esp
    jmp iret_exc
 5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */
    SAVE_ALL

Consequence

Malicious or buggy unprivileged userspace can cause the guest kernel to crash, or operate erroneously.

guest DoS