Memory mapping failure DoS vulnerability

When set_p2m_entry fails, Xen’s internal data structures (the p2m and m2p tables) can get out of sync. This failure can be triggered by unusual guest behaviour exhausting the memory reserved for the p2m table. If it happens, subsequent guest-invoked memory operations can cause Xen to fail an assertion and crash.

improper error handling (unsync of p2m and m2p)



x86/physmap: Prevent incorrect updates of m2p mappings

In certain conditions, such as low memory, setp2mentry() can fail. Currently, the p2m and m2p tables will get out of sync because we still update the m2p table after the p2m update has failed.

If that happens, subsequent guest-invoked memory operations can cause BUG()s and ASSERT()s to kill Xen.

This is fixed by only updating the m2p table iff the p2m was successfully updated.

--- a/xen/arch/x86/mm/p2m.c Wed Nov 14 11:33:15 2012 +0000
+++ b/xen/arch/x86/mm/p2m.c Wed Nov 14 11:36:57 2012 +0000
@@ -654,7 +654,10 @@ guest_physmap_add_entry(struct domain *d
     if ( mfn_valid(_mfn(mfn)) ) 
         if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
+        {
             rc = -EINVAL;
+            goto out; /* Failed to update p2m, bail without updating m2p. */
+        }
         if ( !p2m_is_grant(t) )
             for ( i = 0; i < (1UL << page_order); i++ )
@@ -677,6 +680,7 @@ guest_physmap_add_entry(struct domain *d
     return rc;


A malicious guest administrator might be able to cause Xen to crash.