XSA-85

CVE-2014-1895

问题描述

http://xenbits.xen.org/xsa/advisory-85.html

Off-by-one error in FLASK_AVC_CACHESTAT hypercall

The FLASK_AVC_CACHESTAT hypercall, which provides access to per-cpu statistics on the Flask security policy, incorrectly validates the CPU for which statistics are being requested.

off-by-one

Patch描述

http://xenbits.xen.org/xsa/xsa85.patch

--- a/xen/xsm/flask/flask_op.c
+++ b/xen/xsm/flask/flask_op.c
@@ -457,7 +457,7 @@ static int flask_security_avc_cachestats(struct xen_flask_cache_stats *arg)
 {
     struct avc_cache_stats *st;
 
-    if ( arg->cpu > nr_cpu_ids )
+    if ( arg->cpu >= nr_cpu_ids )
         return -ENOENT;
     if ( !cpu_online(arg->cpu) )
         return -ENOENT;

Consequence

An attacker can cause the hypervisor to read past the end of an array. This may result in either a host crash, leading to a denial of service, or access to a small and static region of hypervisor memory, leading to an information leak.

DoS, information leak