[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 4 (CVE-2011-2901) - Xen 3.3 vaddr validation



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2011-2901 / XSA-4
                        revision no.2
        Xen <= 3.3 DoS due to incorrect virtual address validation

ISSUE DESCRIPTION
=================

The x86_64 __addr_ok() macro intends to ensure that the checked
address is either in the positive half of the 48-bit virtual address
space, or above the Xen-reserved area. However, the current shift
count is off-by-one, allowing full access to the "negative half" too,
via certain hypercalls which ignore virtual-address bits [63:48].
Vulnerable hypercalls exist only in very old versions of the
hypervisor.

VULNERABLE SYSTEMS
==================

All systems running a Xen 3.3 or earlier hypervisor with 64-bit PV
guests with untrusted administrators are vulnerable.

IMPACT
======

A malicious guest administrator on a vulnerable system is able to
crash the host.

There are no known further exploits but these have not been ruled out.

RESOLUTION
==========

The attached patch resolves the issue.

Alternatively, users may choose to upgrade to a more recent hypervisor

PATCHES
=======

The following patch resolves this issue.

Filename: fix-__addr_ok-limit.patch
SHA1: f18bde8d276110451c608a16f577865aa1226b4f
SHA256: 2da5aac72e1ac4849c34d38374ae456795905fd9512eef94b48fc31383c21636

This patch should apply cleanly, and fix the problem, for all affected
versions of Xen.

It is harmless when applied to later hypervisors and will be included
in the Xen unstable branch in due course.

VERSION HISTORY
===============

Analysis following version 1 of this advisory (sent out to the
predisclosure list during the embargo period) indicates that the
actual DoS vulnerability only exists in very old hypervisors, Xen 3.3
and earlier, contrary to previous reports.

This advisory is no longer embargoed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJOYLq2AAoJEIP+FMlX6CvZLegH/26/oJBkd/WM/yYhXkzlbnIP
MxF6Fgy96Omu8poQTanD7g1vEcM0TOLY+Kk3GGsfj4aDdEJ5Nq4ZOW8ooI0VnVcD
7VXQqFsXPxre+eZ6g+G0AsmzdsG45C3qujUTRfGKqzYwXqjWjt9nNsdIy1Mrz8/4
zG1uLDkN0LXnBG2Te4q8ZckYwMq8gFXHHnH35RfQ5Besu6pvJmtK3rFXETdlP12A
JjBh7t5jsCfzvYWFQehVp8mJupuftiOBPClmVh4vrvN9gYd5rzEgB4Q9Ioiqz2qT
2bE1zegR8NeOKBOi9xriTU8F530OdFzeWAbo7D5gyEbYdc60eNwbadcgNGLbzMg=
=09T8
-----END PGP SIGNATURE-----
Subject: XSA-4: xen: correct limit checking in x86_64 version of __addr_ok

The x86_64 __addr_ok() macro intends to ensure that the checked
address is either in the positive half of the 48-bit virtual address
space, or above the Xen-reserved area. However, the current shift
count is off-by-one, allowing full access to the "negative half"
too. Guests may exploit this to gain access to off-limits ranges.

This issue has been assigned CVE-2011-2901.

Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx>

diff --git a/xen/include/asm-x86/x86_64/uaccess.h 
b/xen/include/asm-x86/x86_64/uaccess.h
--- a/xen/include/asm-x86/x86_64/uaccess.h
+++ b/xen/include/asm-x86/x86_64/uaccess.h
@@ -34,7 +34,7 @@
  * non-canonical address (and thus fault) before ever reaching VIRT_START.
  */
 #define __addr_ok(addr) \
-    (((unsigned long)(addr) < (1UL<<48)) || \
+    (((unsigned long)(addr) < (1UL<<47)) || \
      ((unsigned long)(addr) >= HYPERVISOR_VIRT_END))
 
 #define access_ok(addr, size) \
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.