xen-kernel -- x86 shadow pagetables: address width overflow

2016-04-18T00:00:00
ID D51CED72-4212-11E6-942D-BC5FF45D0F28
Type freebsd
Reporter FreeBSD
Modified 2016-04-18T00:00:00

Description

The Xen Project reports:

In the x86 shadow pagetable code, the guest frame number of a superpage mapping is stored in a 32-bit field. If a shadowed guest can cause a superpage mapping of a guest-physical address at or above 2^44 to be shadowed, the top bits of the address will be lost, causing an assertion failure or NULL dereference later on, in code that removes the shadow. A HVM guest using shadow pagetables can cause the host to crash.

A PV guest using shadow pagetables (i.e. being migrated) with PV superpages enabled (which is not the default) can crash the host, or corrupt hypervisor memory, and so a privilege escalation cannot be ruled out.