WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-bugs

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-bugs] [Bug 730] New: Spurious page fault detection: exploitable mac

from [bugzilla-daemon] [Permanent Link][Original]
To: xen-bugs@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-bugs] [Bug 730] New: Spurious page fault detection: exploitable machine crash from domU
From: bugzilla-daemon@xxxxxxxxxxxxxxxxxxx
Date: Tue, 08 Aug 2006 20:38:14 -0700
Delivery-date: Tue, 08 Aug 2006 20:38:51 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-bugs-request@lists.xensource.com?subject=help>
List-id: Xen Bugzilla <xen-bugs.lists.xensource.com>
List-post: <mailto:xen-bugs@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=unsubscribe>
Reply-to: bugs@xxxxxxxxxxxxxxxxxx
Sender: xen-bugs-bounces@xxxxxxxxxxxxxxxxxxx 
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=730

           Summary: Spurious page fault detection: exploitable machine crash
                    from domU
           Product: Xen
           Version: 3.0.2
          Platform: x86
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P1
         Component: Hypervisor
        AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
        ReportedBy: yourst@xxxxxxxxxx


The spurious page fault detection code in __spurious_page_fault() has a serious
logic bug that allows any domU to crash the machine. Here's the scenario:

- Guest sets its kernel sp to a non-writable page
- Guest triggers a page fault at some unrelated location
- In entry.S, the attempt to build the bounce frame at label FLT4 traps
- The page fault handler is called again and checks for a spurious fault
- Fault while building bounce frame is incorrectly detected as spurious, and no
action is taken
- Returns to create_bounce_frame, which faults in an infinite loop

There's a logic error in the four PTE flags checks:

   if ( !(l1e_get_flags(l1e) & required_flags) ||

should be:

   if ( (l1e_get_flags(l1e) & required_flags) != required_flags) ||

in all four PT levels.

This problem has apparently been in both xen-unstable and 3.0.x for a while.

Patch follows:

diff -r ea04335d238b xen/arch/x86/traps.c
--- a/xen/arch/x86/traps.c      Thu Aug  3 18:45:14 2006
+++ b/xen/arch/x86/traps.c      Tue Aug  8 23:17:59 2006
@@ -780,7 +780,7 @@
     l4e = l4t[l4_table_offset(addr)];
     mfn = l4e_get_pfn(l4e);
     unmap_domain_page(l4t);
-    if ( !(l4e_get_flags(l4e) & required_flags) ||
+    if ( ((l4e_get_flags(l4e) & required_flags) != required_flags) ||
          (l4e_get_flags(l4e) & disallowed_flags) )
         return 0;
 #endif
@@ -797,7 +797,7 @@
     if ( !(l3e_get_flags(l3e) & _PAGE_PRESENT) )
         return 0;
 #else
-    if ( !(l3e_get_flags(l3e) & required_flags) ||
+    if ( ((l3e_get_flags(l3e) & required_flags) != required_flags) ||
          (l3e_get_flags(l3e) & disallowed_flags) )
         return 0;
 #endif
@@ -807,7 +807,7 @@
     l2e = l2t[l2_table_offset(addr)];
     mfn = l2e_get_pfn(l2e);
     unmap_domain_page(l2t);
-    if ( !(l2e_get_flags(l2e) & required_flags) ||
+    if ( ((l2e_get_flags(l2e) & required_flags) != required_flags) ||
          (l2e_get_flags(l2e) & disallowed_flags) )
         return 0;
     if ( l2e_get_flags(l2e) & _PAGE_PSE )
@@ -820,7 +820,7 @@
     l1e = l1t[l1_table_offset(addr)];
     mfn = l1e_get_pfn(l1e);
     unmap_domain_page(l1t);
-    if ( !(l1e_get_flags(l1e) & required_flags) ||
+    if ( ((l1e_get_flags(l1e) & required_flags) != required_flags) ||
          (l1e_get_flags(l1e) & disallowed_flags) )
         return 0;


-- 
Configure bugmail: 
http://bugzilla.xensource.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

_______________________________________________
Xen-bugs mailing list
Xen-bugs@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-bugs
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-bugs] [Bug 730] New: Spurious page fault detection: exploitable machine crash from domU, bugzilla-daemon <=
Previous by Date:  [Xen-bugs] [Bug 698] unable to create VMX guests, bugzilla-daemon
Next by Date:  [Xen-bugs] [Bug 725] xm-test - FAIL: 11_create_concurrent_pos.test -- Console run-away (exceeded 131072 bytes), bugzilla-daemon
Previous by Thread:  [Xen-bugs] [Bug 698] unable to create VMX guests, bugzilla-daemon
Next by Thread:  [Xen-bugs] [Bug 731] New: Changeset 9735 breaks network-bridge, bugzilla-daemon
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy