Advisory: XSA-182

There is a trick with pagetables, known as recursive pagetables (also linear or twisted pagetables), where a top level pagetable referrers back to itself. This creates an area of virtual address space which accesses the currently-active pagetables rather than the RAM mapped by them. This method is used by certain kernels as part of its memory management subsystem.

Xen has to code to cope with x86 PV guests creating such pagetables, albeit it with the usual safety proviso that a PV guest must never be able to write to its own pagetables.

While the logic to create recursive pagetables does check and reject writeable mappings, some of the the fastpath logic permitted changing the writeable bit in isolation, allowing a guest to obtain writeable access to its own pagetables.

See also: tests/xsa-182/main.c