[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-bugs] [Bug 730] New: Spurious page fault detection: exploitable machine crash from domU

http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=730

           Summary: Spurious page fault detection: exploitable machine crash
                    from domU
           Product: Xen
           Version: 3.0.2
          Platform: x86
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P1
         Component: Hypervisor
        AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
        ReportedBy: yourst@xxxxxxxxxx


The spurious page fault detection code in __spurious_page_fault() has a serious
logic bug that allows any domU to crash the machine. Here's the scenario:

- Guest sets its kernel sp to a non-writable page
- Guest triggers a page fault at some unrelated location
- In entry.S, the attempt to build the bounce frame at label FLT4 traps
- The page fault handler is called again and checks for a spurious fault
- Fault while building bounce frame is incorrectly detected as spurious, and no
action is taken
- Returns to create_bounce_frame, which faults in an infinite loop

There's a logic error in the four PTE flags checks:

   if ( !(l1e_get_flags(l1e) & required_flags) ||

should be:

   if ( (l1e_get_flags(l1e) & required_flags) != required_flags) ||

in all four PT levels.

This problem has apparently been in both xen-unstable and 3.0.x for a while.

Patch follows:

diff -r ea04335d238b xen/arch/x86/traps.c
--- a/xen/arch/x86/traps.c      Thu Aug  3 18:45:14 2006
+++ b/xen/arch/x86/traps.c      Tue Aug  8 23:17:59 2006
@@ -780,7 +780,7 @@
     l4e = l4t[l4_table_offset(addr)];
     mfn = l4e_get_pfn(l4e);
     unmap_domain_page(l4t);
-    if ( !(l4e_get_flags(l4e) & required_flags) ||
+    if ( ((l4e_get_flags(l4e) & required_flags) != required_flags) ||
          (l4e_get_flags(l4e) & disallowed_flags) )
         return 0;
 #endif
@@ -797,7 +797,7 @@
     if ( !(l3e_get_flags(l3e) & _PAGE_PRESENT) )
         return 0;
 #else
-    if ( !(l3e_get_flags(l3e) & required_flags) ||
+    if ( ((l3e_get_flags(l3e) & required_flags) != required_flags) ||
          (l3e_get_flags(l3e) & disallowed_flags) )
         return 0;
 #endif
@@ -807,7 +807,7 @@
     l2e = l2t[l2_table_offset(addr)];
     mfn = l2e_get_pfn(l2e);
     unmap_domain_page(l2t);
-    if ( !(l2e_get_flags(l2e) & required_flags) ||
+    if ( ((l2e_get_flags(l2e) & required_flags) != required_flags) ||
          (l2e_get_flags(l2e) & disallowed_flags) )
         return 0;
     if ( l2e_get_flags(l2e) & _PAGE_PSE )
@@ -820,7 +820,7 @@
     l1e = l1t[l1_table_offset(addr)];
     mfn = l1e_get_pfn(l1e);
     unmap_domain_page(l1t);
-    if ( !(l1e_get_flags(l1e) & required_flags) ||
+    if ( ((l1e_get_flags(l1e) & required_flags) != required_flags) ||
          (l1e_get_flags(l1e) & disallowed_flags) )
         return 0;


-- 
Configure bugmail: 
http://bugzilla.xensource.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

_______________________________________________
Xen-bugs mailing list
Xen-bugs@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-bugs

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.