x86: PV privilege escalation via map_grant_ref

ID XSA-227
Type xen
Reporter Xen Project
Modified 2017-08-15T12:04:00



When mapping a grant reference, a guest must inform Xen of where it would like the grant mapped. For PV guests, this is done by nominating an existing linear address, or an L1 pagetable entry, to be altered. Neither of these PV paths check for alignment of the passed parameter. The linear address path suitably truncates the linear address when calculating the L1 entry to use, but the path which uses a directly nominated L1 entry performs no checks. This causes Xen to make an incorrectly-aligned update to a pagetable, which corrupts both the intended entry and the subsequent entry with values which are largely guest controlled. If the misaligned value crosses a page boundary, then an arbitrary other heap page is corrupted.


A PV guest can elevate its privilege to that of the host.


All versions of Xen are vulnerable. Only x86 systems are vulnerable. Any system running untrusted PV guests is vulnerable. The vulnerability is exposed to PV stub qemu serving as the device model for HVM guests. Our default assumption is that an HVM guest has compromised its PV stub qemu. By extension, it is likely that the vulnerability is exposed to HVM guests which are served by a PV stub qemu.