[Pkg-xen-devel] Bug#464969: Bug#464969: xen-hypervisor-3.2-1-i386: Linux mmap()/vmsplice() exploit causes memory map corruption in hypervisor regardless of domain privilege

William Pitcock nenolod at sacredspiral.co.uk
Sun Feb 10 19:55:01 UTC 2008


Hi,

On Sun, 2008-02-10 at 14:40 +0100, Bastian Blank wrote:
> On Sun, Feb 10, 2008 at 06:56:59AM -0600, William Pitcock wrote:
> > I'm sorry but I cannot provide evidence because it would involve
> > crashing a production machine. Users of said machine are already annoyed
> > that it crashed the first time.
> 
> Okay. Where did you run the exploit the first time?

On one of my production servers to see if I was vulnerable. The
configuration of which is:

* 4 Intel Xeon Processors (old P4 kind)
* 4GB RAM
* 15 Xen domains

I hope that it a useful enough description.

> 
> > The exploit works by altering the memory map (via vmsplice()) to get
> > access into kernel space. Since the memory map is altered in the domU,
> > it is no longer in sync with the global state. Each domU is aware of the
> > state of the other domU's in Xen (at least, this is what the
> > documentation tells me, and this would explain why you can't for example
> > mix NON-PAE and PAE kernels on x86). If one domU gets out of sync, it
> > could cause state corruption in the hypervisor.
> 
> No, this is not correct. The physical-to-machine translation is public
> readable. This table is not writable by the domains. The exploit changes
> only the Linux page table.
> 
> On a x86_64 machine, it just raises a GPF.

Are you sure? Because I'm pretty sure the exploit caused Xen (or at
least the dom0) to crash even though it was run in a domU.

William
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20080210/0ef8d61f/attachment.pgp 


More information about the Pkg-xen-devel mailing list