Xen project Mailing List

Re: [Xen-devel] Xen Security Advisory 173 (CVE-2016-3960) - x86 shadow pagetables: address width overflow

To: Tim Deegan <tim@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>

From: Philipp Hahn <hahn@xxxxxxxxxxxxx>

Date: Fri, 13 May 2016 12:55:56 +0200

Cc: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>, Xen-devel@xxxxxxxxxxxxx

Delivery-date: Fri, 13 May 2016 10:56:01 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Hi, Am 18.04.2016 um 15:31 schrieb Xen.org security team: > Xen Security Advisory CVE-2016-3960 / XSA-173 > version 3 > > x86 shadow pagetables: address width overflow ... > ISSUE DESCRIPTION > ================= > In the x86 shadow pagetable code, the guest frame number of a > superpage mapping is stored in a 32-bit field. If a shadowed guest > can cause a superpage mapping of a guest-physical address at or above > 2^44 to be shadowed, the top bits of the address will be lost, causing > an assertion failure or NULL dereference later on, in code that > removes the shadow. ... > VULNERABLE SYSTEMS > ================== > Xen versions from 3.4 onwards are affected. > > Only x86 variants of Xen are susceptible. ARM variants are not > affected. ... > RESOLUTION > ========== > Applying the appropriate attached patch resolves this issue. ... > xsa173-4.3.patch Xen 4.3.x As Xen-4.2 and xen-4.1 are also vulnerable, I'm trying to backport this. The 4.3 patch applies mostly, but compilation fails as x86-32-bit support was dropped with Xen-4.3 and _PAGE_INVALID_BIT remains undefined for x86-32: > guest_walk.c: In function 'mandatory_flags': > guest_walk.c:66:40: error: '_PAGE_INVALID_BIT' undeclared (first use in this > function) > guest_walk.c:66:40: note: each undeclared identifier is reported only once > for each function it appears in > guest_walk.c: In function 'guest_walk_tables_2_levels': > guest_walk.c:146:30: error: '_PAGE_INVALID_BIT' undeclared (first use in this > function) > guest_walk.c: In function 'mandatory_flags': > guest_walk.c:67:1: error: control reaches end of non-void function > [-Werror=return-type] It's only defined for x86-64: > --- a/xen/include/asm-x86/x86_64/page.h > +++ b/xen/include/asm-x86/x86_64/page.h ... > +/* > + * Bit 24 of a 24-bit flag mask! This is not any bit of a real pte, > + * and is only used for signalling in variables that contain flags. > + */ > +#define _PAGE_INVALID_BIT (1U<<24) > + > #endif /* __X86_64_PAGE_H__ */ I guess using bit 24 is okay for 32 bit, too. Can someone confirm that please? Philipp _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.