FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

xen-kernel -- x86 shadow pagetables: address width overflow

Affected packages
3.4 <= xen-kernel < 4.7.0

Details

VuXML ID d51ced72-4212-11e6-942d-bc5ff45d0f28
Discovery 2016-04-18
Entry 2016-07-04

The Xen Project reports:

In the x86 shadow pagetable code, the guest frame number of a superpage mapping is stored in a 32-bit field. If a shadowed guest can cause a superpage mapping of a guest-physical address at or above 2^44 to be shadowed, the top bits of the address will be lost, causing an assertion failure or NULL dereference later on, in code that removes the shadow.

A HVM guest using shadow pagetables can cause the host to crash.

A PV guest using shadow pagetables (i.e. being migrated) with PV superpages enabled (which is not the default) can crash the host, or corrupt hypervisor memory, and so a privilege escalation cannot be ruled out.

References

CVE Name CVE-2016-3960
URL http://xenbits.xen.org/xsa/advisory-173.html