nested virtualization on 32-bit exposes host crash
When performing nested virtualisation Xen would incorrectly map guest pages for extended periods using an interface which is only intended for transient mappings. In some configurations there are a limited number of slots available for these transient mappings and exhausting them leads to a host crash and therefore a Denial of Service attack.
logic error (incorrect page mapping)
x86_32: don’t allow use of nested HVM
There are (indirect) uses of map_domain_page() in the nested HVM code that are unsafe when not just using the 1:1 mapping.
--- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE rc = -EINVAL; break; case HVM_PARAM_NESTEDHVM: +#ifdef __i386__ + if ( a.value ) + rc = -EINVAL; +#else if ( a.value > 1 ) rc = -EINVAL; if ( !is_hvm_domain(d) ) @@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE for_each_vcpu(d, v) if ( rc == 0 ) rc = nestedhvm_vcpu_initialise(v); +#endif break; case HVM_PARAM_BUFIOREQ_EVTCHN: rc = -EINVAL;
A malicious guest administrator can, by enabling nested virtualisation from within the guest, trigger the issue.
Their ability to do this will depend on the number of VCPUs the domain is configured with. Domains with smaller numbers of VCPUs (e.g. less than 16) are not able to create sufficient mappings via this method to trigger the issue.