From: Philipp Hahn <hahn@univention.de>
To: Tim Deegan <tim@xen.org>, Jan Beulich <jbeulich@suse.com>
Cc: Stefan Bader <stefan.bader@canonical.com>, Xen-devel@lists.xen.org
Subject: Re: Xen Security Advisory 173 (CVE-2016-3960) - x86 shadow pagetables: address width overflow
Date: Fri, 13 May 2016 12:55:56 +0200 [thread overview]
Message-ID: <5735B2BC.3010706@univention.de> (raw)
In-Reply-To: <E1as9H5-0006bS-1g@xenbits.xenproject.org>
Hi,
Am 18.04.2016 um 15:31 schrieb Xen.org security team:
> Xen Security Advisory CVE-2016-3960 / XSA-173
> version 3
>
> x86 shadow pagetables: address width overflow
...
> ISSUE DESCRIPTION
> =================
> In the x86 shadow pagetable code, the guest frame number of a
> superpage mapping is stored in a 32-bit field. If a shadowed guest
> can cause a superpage mapping of a guest-physical address at or above
> 2^44 to be shadowed, the top bits of the address will be lost, causing
> an assertion failure or NULL dereference later on, in code that
> removes the shadow.
...
> VULNERABLE SYSTEMS
> ==================
> Xen versions from 3.4 onwards are affected.
>
> Only x86 variants of Xen are susceptible. ARM variants are not
> affected.
...
> RESOLUTION
> ==========
> Applying the appropriate attached patch resolves this issue.
...
> xsa173-4.3.patch Xen 4.3.x
As Xen-4.2 and xen-4.1 are also vulnerable, I'm trying to backport this.
The 4.3 patch applies mostly, but compilation fails as x86-32-bit
support was dropped with Xen-4.3 and _PAGE_INVALID_BIT remains
undefined for x86-32:
> guest_walk.c: In function 'mandatory_flags':
> guest_walk.c:66:40: error: '_PAGE_INVALID_BIT' undeclared (first use in this function)
> guest_walk.c:66:40: note: each undeclared identifier is reported only once for each function it appears in
> guest_walk.c: In function 'guest_walk_tables_2_levels':
> guest_walk.c:146:30: error: '_PAGE_INVALID_BIT' undeclared (first use in this function)
> guest_walk.c: In function 'mandatory_flags':
> guest_walk.c:67:1: error: control reaches end of non-void function [-Werror=return-type]
It's only defined for x86-64:
> --- a/xen/include/asm-x86/x86_64/page.h
> +++ b/xen/include/asm-x86/x86_64/page.h
...
> +/*
> + * Bit 24 of a 24-bit flag mask! This is not any bit of a real pte,
> + * and is only used for signalling in variables that contain flags.
> + */
> +#define _PAGE_INVALID_BIT (1U<<24)
> +
> #endif /* __X86_64_PAGE_H__ */
I guess using bit 24 is okay for 32 bit, too.
Can someone confirm that please?
Philipp
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-05-13 10:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-18 13:31 Xen Security Advisory 173 (CVE-2016-3960) - x86 shadow pagetables: address width overflow Xen.org security team
2016-05-13 10:55 ` Philipp Hahn [this message]
2016-05-13 11:28 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5735B2BC.3010706@univention.de \
--to=hahn@univention.de \
--cc=Xen-devel@lists.xen.org \
--cc=jbeulich@suse.com \
--cc=stefan.bader@canonical.com \
--cc=tim@xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.