Xen <= 3.3 DoS due to incorrect virtual address validation
The x86_64 __addr_ok() macro intends to ensure that the checked address is either in the positive half of the 48-bit virtual address space, or above the Xen-reserved area. However, the current shift count is off-by-one, allowing full access to thenegative halftoo, via certain hypercalls which ignore virtual-address bits [63:48]. Vulnerable hypercalls exist only in very old versions of the hypervisor.
lack of check (off-by-one)
x86-64: Fix off-by-one error in __addr_ok() macro
--- a/xen/include/asm-x86/x86_64/uaccess.h Tue Aug 30 11:46:58 2011 +0100 +++ b/xen/include/asm-x86/x86_64/uaccess.h Wed Aug 31 15:14:49 2011 +0100 @@ -34,7 +34,7 @@ extern void *xlat_malloc(unsigned long * * non-canonical address (and thus fault) before ever reaching VIRT_START. */ #define __addr_ok(addr) \ - (((unsigned long)(addr) < (1UL<<48)) || \ + (((unsigned long)(addr) < (1UL<<47)) || \ ((unsigned long)(addr) >= HYPERVISOR_VIRT_END)) #define access_ok(addr, size) \
A malicious guest administrator on a vulnerable system is able to crash the host.