CVE-2012-0217
64-bit PV guest privilege escalation vulnerability
Rafal Wojtczuk has discovered a vulnerability which can allow a 64-bit PV guest kernel running on a 64-bit hypervisor to escalate privileges to that of the host by arranging for a system call to return via sysret to a non-canonical RIP. Intel CPUs deliver the resulting exception in an undesirable processor state.
improper error handling (no restore stack pointer)
guest会构造一个non-canonical RIP (通过在某个虚拟地址内存页的最后一个地址调用一个syscall),在sysret的时候产生exception,在exception处理函数中没有对stack pointer进行恢复,所以会使用guest VM提供的stack。
http://xenbits.xen.org/hg/xen-4.1-testing.hg/rev/f08e61b9b33f
x86_64: Do not execute sysret with a non-canonical return address
Check for non-canonical guest RIP before attempting to execute sysret. If sysret is executed with a non-canonical value in RCX, Intel CPUs take the fault in ring0, but we will necessarily already have switched to the the user’s stack pointer.
--- a/xen/arch/x86/x86_64/entry.S Fri May 25 08:18:47 2012 +0100
+++ b/xen/arch/x86/x86_64/entry.S Tue Jun 12 11:38:30 2012 +0100
@@ -40,6 +40,13 @@ restore_all_guest:
testw $TRAP_syscall,4(%rsp)
jz iret_exit_to_guest
+ /* Don't use SYSRET path if the return address is not canonical. */
+ movq 8(%rsp),%rcx
+ sarq $47,%rcx
+ incl %ecx
+ cmpl $1,%ecx
+ ja .Lforce_iret
+
addq $8,%rsp
popq %rcx # RIP
popq %r11 # CS
@@ -50,6 +57,10 @@ restore_all_guest:
sysretq
1: sysretl
+.Lforce_iret:
+ /* Mimic SYSRET behavior. */
+ movq 8(%rsp),%rcx # RIP
+ movq 24(%rsp),%r11 # RFLAGS
ALIGN
/* No special register assumptions. */
iret_exit_to_guest:Guest administrators can gain control of the host.
DoS, privilege escalation