Xen Test Framework
XSA-185

Advisory: XSA-185

This vulnerability is along the same lines as XSA-182, and was uncovered once XSA-182 had been fixed. Please refer to 182 for the discussion of recursive pagetables.

For real 32bit PAE mode, %cr3 points at a 32byte block of memory containing 4 entries which look a little like regular pagetable entries. When a reload of %cr3 occurs, they are loaded into 4 internal processor registers. In this regard, they behave like 4 independent %cr3 pointers; there aren't actually 3 levels of pagetable being walked by the processor.

In these 4 entries, all control bits other than Present and the two cacheability bits are strictly reserved, and must be zero. User and RW are implied by the actual pagewalk starting at the appropriate L2 table, and not at the block that %cr3 is actually pointing at.

When running a 32bit PV guest on a 64bit, architectural behaviour needs maintaining when running on plain 4-level pagetables. As such, the guest will not set User/RW, and Xen must set them unconditionally on all L3 updates, to maintain architectural behaviour.

Because of the construction of 32bit PAE paging on real hardware, there is no way to construct an L3 recursive mapping (to create an equivalent effect, 4 adjacent L2 entries need pointing at the 4 in-use L2 entries), so the security fix is to specifically exclude that option.

See also
tests/xsa-185/main.c