XSA-4

CVE-2011-2901


问题描述

xsa4

Xen <= 3.3 DoS due to incorrect virtual address validation

The x86_64 __addr_ok() macro intends to ensure that the checked address is either in the positive half of the 48-bit virtual address space, or above the Xen-reserved area. However, the current shift count is off-by-one, allowing full access to the negative half too, via certain hypercalls which ignore virtual-address bits [63:48]. Vulnerable hypercalls exist only in very old versions of the hypervisor.

lack of check (off-by-one)


Patch描述

http://xenbits.xen.org/hg/xen-unstable.hg/rev/72edc40e2942

x86-64: Fix off-by-one error in __addr_ok() macro

--- a/xen/include/asm-x86/x86_64/uaccess.h   Tue Aug 30 11:46:58 2011 +0100
+++ b/xen/include/asm-x86/x86_64/uaccess.h   Wed Aug 31 15:14:49 2011 +0100
@@ -34,7 +34,7 @@ extern void *xlat_malloc(unsigned long *
  * non-canonical address (and thus fault) before ever reaching VIRT_START.
  */
 #define __addr_ok(addr) \
-    (((unsigned long)(addr) < (1UL<<48)) || \
+    (((unsigned long)(addr) < (1UL<<47)) || \
      ((unsigned long)(addr) >= HYPERVISOR_VIRT_END))
 
 #define access_ok(addr, size) \

Consequence

A malicious guest administrator on a vulnerable system is able to crash the host.

DoS