[Pkg-xen-devel] Bug#464969: Bug#464969: xen-hypervisor-3.2-1-i386: Linux mmap()/vmsplice() exploit causes memory map corruption in hypervisor regardless of domain privilege

[William Pitcock]

Hi,

On Sun, 2008-02-10 at 13:32 +0100, Bastian Blank wrote:
> You have to show evidence that the Hypervisor crashed if the exploit
> runs in a domU. dom0 is special and can always crash the hypervisor. A
> stacktrace is usable to do this.

I'm sorry but I cannot provide evidence because it would involve
crashing a production machine. Users of said machine are already annoyed
that it crashed the first time.

However, running the exploit does indeed cause the hypervisor to crash;
here's why:

The exploit works by altering the memory map (via vmsplice()) to get
access into kernel space. Since the memory map is altered in the domU,
it is no longer in sync with the global state. Each domU is aware of the
state of the other domU's in Xen (at least, this is what the
documentation tells me, and this would explain why you can't for example
mix NON-PAE and PAE kernels on x86). If one domU gets out of sync, it
could cause state corruption in the hypervisor.

As a result, Xen should check for this state corruption by maintaining a
secondary copy of the memory map and ensuring that it has not been
altered. If it has been altered, it should _probably_ kill the VM which
did it.

William
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20080210/13e28b85/attachment.pgp