insufficient permissions checks accessing guest memory on ARM

When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read.

A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit).

In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses.

即Xen未对已经mapping的内存读写权限进行检查,导致一些只读的页变成guest VM可写的。

privilege uncheck (improper permission)



xen: arm: check permissions when copying to/from guest virtual addresses

In particular we need to make sure the guest has write permissions to buffers which it passes as output buffers for hypercalls, otherwise the guest can overwrite memory which it shouldn’t be able to write (like r/o grant table mappings).


A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain.

In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host.

privilege escalation