[Pkg-xen-devel] Bug#464969: Bug#464969: xen-hypervisor-3.2-1-i386: Linux mmap()/vmsplice() exploit causes memory map corruption in hypervisor regardless of domain privilege
Bastian Blank
waldi at debian.org
Sun Feb 10 13:40:16 UTC 2008
On Sun, Feb 10, 2008 at 06:56:59AM -0600, William Pitcock wrote:
> I'm sorry but I cannot provide evidence because it would involve
> crashing a production machine. Users of said machine are already annoyed
> that it crashed the first time.
Okay. Where did you run the exploit the first time?
> The exploit works by altering the memory map (via vmsplice()) to get
> access into kernel space. Since the memory map is altered in the domU,
> it is no longer in sync with the global state. Each domU is aware of the
> state of the other domU's in Xen (at least, this is what the
> documentation tells me, and this would explain why you can't for example
> mix NON-PAE and PAE kernels on x86). If one domU gets out of sync, it
> could cause state corruption in the hypervisor.
No, this is not correct. The physical-to-machine translation is public
readable. This table is not writable by the domains. The exploit changes
only the Linux page table.
On a x86_64 machine, it just raises a GPF.
Bastian
--
Vulcans believe peace should not depend on force.
-- Amanda, "Journey to Babel", stardate 3842.3
More information about the Pkg-xen-devel
mailing list