Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor

2014-11-27T11:25:00
ID XSA-112
Type xen
Reporter Xen Project
Modified 2014-11-27T11:25:00

Description

ISSUE DESCRIPTION

Acceleration support for the "REP MOVS" instruction, when the first iteration accesses memory mapped I/O emulated internally in the hypervisor, incorrectly assumes that the whole range accessed is handled by the same hypervisor sub-component.

IMPACT

A buggy or malicious HVM guest can crash the host.

VULNERABLE SYSTEMS

Xen versions from at least 3.2.x onwards are vulnerable on x86 systems. Older versions have not been inspected. ARM systems are not vulnerable.