From: Philipp Hahn <hahn@univention.de>
To: Tim Deegan <tim@xen.org>, Jan Beulich <jbeulich@suse.com>
Cc: Stefan Bader <stefan.bader@canonical.com>, Xen-devel@lists.xen.org
Subject: Re: Xen Security Advisory 173 (CVE-2016-3960) - x86 shadow pagetables: address width overflow
Date: Fri, 13 May 2016 12:55:56 +0200 [thread overview]
Message-ID: <5735B2BC.3010706@univention.de> (raw)
In-Reply-To: <E1as9H5-0006bS-1g@xenbits.xenproject.org>
Hi,
Am 18.04.2016 um 15:31 schrieb Xen.org security team:
> Xen Security Advisory CVE-2016-3960 / XSA-173
> version 3
>
> x86 shadow pagetables: address width overflow
...
> ISSUE DESCRIPTION
> =================
> In the x86 shadow pagetable code, the guest frame number of a
> superpage mapping is stored in a 32-bit field. If a shadowed guest
> can cause a superpage mapping of a guest-physical address at or above
> 2^44 to be shadowed, the top bits of the address will be lost, causing
> an assertion failure or NULL dereference later on, in code that
> removes the shadow.
...
> VULNERABLE SYSTEMS
> ==================
> Xen versions from 3.4 onwards are affected.
>
> Only x86 variants of Xen are susceptible. ARM variants are not
> affected.
...
> RESOLUTION
> ==========
> Applying the appropriate attached patch resolves this issue.
...
> xsa173-4.3.patch Xen 4.3.x
As Xen-4.2 and xen-4.1 are also vulnerable, I'm trying to backport this.
The 4.3 patch applies mostly, but compilation fails as x86-32-bit
support was dropped with Xen-4.3 and _PAGE_INVALID_BIT remains
undefined for x86-32:
> guest_walk.c: In function 'mandatory_flags':
> guest_walk.c:66:40: error: '_PAGE_INVALID_BIT' undeclared (first use in this function)
> guest_walk.c:66:40: note: each undeclared identifier is reported only once for each function it appears in
> guest_walk.c: In function 'guest_walk_tables_2_levels':
> guest_walk.c:146:30: error: '_PAGE_INVALID_BIT' undeclared (first use in this function)
> guest_walk.c: In function 'mandatory_flags':
> guest_walk.c:67:1: error: control reaches end of non-void function [-Werror=return-type]
It's only defined for x86-64:
> --- a/xen/include/asm-x86/x86_64/page.h
> +++ b/xen/include/asm-x86/x86_64/page.h
...
> +/*
> + * Bit 24 of a 24-bit flag mask! This is not any bit of a real pte,
> + * and is only used for signalling in variables that contain flags.
> + */
> +#define _PAGE_INVALID_BIT (1U<<24)
> +
> #endif /* __X86_64_PAGE_H__ */
I guess using bit 24 is okay for 32 bit, too.
Can someone confirm that please?
Philipp
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-05-13 10:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-18 13:31 Xen Security Advisory 173 (CVE-2016-3960) - x86 shadow pagetables: address width overflow Xen.org security team
2016-05-13 10:55 ` Philipp Hahn [this message]
2016-05-13 11:28 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5735B2BC.3010706@univention.de \
--to=hahn@univention.de \
--cc=Xen-devel@lists.xen.org \
--cc=jbeulich@suse.com \
--cc=stefan.bader@canonical.com \
--cc=tim@xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).