Vulnerabilities in HVM MSI injection
The implementation of the HVM control operation HVMOP_inject_msi, while checking whether a particular IRQ was already set up in the necessary way, fails to properly check all respective conditions. In particular it doesn’t check the returned pointer for being non-NULL before de-referencing it. (CVE-2014-3967)
Furthermore that same code also handles certain errors by logging messages, without (under default settings) at least making these messages subject to rate limiting. (CVE-2014-3968)
lack of check (NULL pointer), resource abuse (unlimit log rate)
x86/HVM: eliminate vulnerabilities from hvm_inject_msi()
- pirq_info() returns NULL for a non-allocated pIRQ, and hence we mustn’t unconditionally de-reference it, and we need to invoke it another time after having called map_domain_emuirq_pirq()
- don’t use printk(), namely without XENLOG_GUEST, for error reporting
The NULL pointer de-reference would lead to a host crash, and hence a denial of service would result.
The spamming of the hypervisor log could similarly lead to a denial of service.