[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] kernel: xen: CVE-2011-2901
From:       Petr Matousek <pmatouse () redhat ! com>
Date:       2011-08-30 15:59:18
Message-ID: 20110830155918.GH9091 () dhcp-25-225 ! brq ! redhat ! com
[Download RAW message or body]

CVE-2011-2901 kernel: xen: off-by-one shift in x86_64 __addr_ok()

The x86_64 __addr_ok() macro intends to ensure that the checked address
is either in the positive half of the 48-bit virtual address space, or
above the Xen-reserved area. However, the current shift count is
off-by-one, allowing full access to the "negative half" too, via
certain hypercalls which ignore virtual-address bits [63:48]. 

As a result, a malicious guest administrator on a vulnerable system is
able to crash the host.

Upstream status: 
This issue only affects very old hypervisors, Xen 3.3 and earlier.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=728042

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]