Off-by-one error in FLASK_AVC_CACHESTAT hypercall

ISSUE DESCRIPTION

The FLASK_AVC_CACHESTAT hypercall, which provides access to per-cpu statistics on the Flask security policy, incorrectly validates the CPU for which statistics are being requested.

IMPACT

An attacker can cause the hypervisor to read past the end of an array. This may result in either a host crash, leading to a denial of service, or access to a small and static region of hypervisor memory, leading to an information leak.

VULNERABLE SYSTEMS

Xen version 4.2 and later are vulnerable to this issue when built with XSM/Flask support. XSM support is disabled by default and is enabled by building with XSM_ENABLE=y.
Only systems with the maximum supported number of physical CPUs are vulnerable. Systems with a greater number of physical CPUs will only make use of the maximum supported number and are therefore vulnerable.
By default the following maximums apply: * x86_32: 128 (only until Xen 4.2.x) * x86_64: 256 These defaults can be overridden at build time via max_phys_cpus=N.
The vulnerable hypercall is exposed to all domains.