CVE-2013-0190
http://xenbits.xen.org/xsa/advisory-40.html
Linux stack corruption in xen_failsafe_callback for 32bit PVOPS guests
xen_failsafe_callback incorrectly sets up its stack if an iret fault is injected by the hypervisor.
logic error (wrong stack pointer)
http://xenbits.xen.org/xsa/xsa40.patch
There has been an error on the xenfailsafecallback path for failed iret, which causes the stack pointer to be wrong when entering the iret_exc error path. This can result in the kernel crashing.
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)
lea 16(%esp),%esp
CFI_ADJUST_CFA_OFFSET -16
jz 5f
- addl $16,%esp
jmp iret_exc
5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */
SAVE_ALL
Malicious or buggy unprivileged userspace can cause the guest kernel to crash, or operate erroneously.
guest DoS