x86: broken check in memory_exchange() permits PV guest breakout

2017-04-04T12:00:00
ID XSA-212
Type xen
Reporter Xen Project
Modified 2017-04-04T12:37:00

Description

ISSUE DESCRIPTION

The XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays.

IMPACT

A malicious or buggy 64-bit PV guest may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks.

VULNERABLE SYSTEMS

All Xen versions are vulnerable. Only x86 systems are affected. ARM systems are not vulnerable. The vulnerability is only exposed to 64-bit PV guests. HVM guests and 32-bit PV guests can't exploit the vulnerability.