Advisory: XSA-167

The MMUEXT subops MARK_SUPER and UNMARK_SUPER do not perform a range check on the mfn parameter before indexing the superframe array. They do however perform an 2MB alignment check.

This PoC attempts to mark the largest possible 2MB aligned mfn, 0xffffffffffe00000, as a superpage. On a sample Xen, the index into the superframe array causes an attempted deference of the pointer 0x03ffffffffff8000, suffering a #GP fault because of being non-canonical.

PV superpages are disabled by default, and must be enabled by booting Xen with the "allowsuperpage" command line option.

If Xen is vulnerable to XSA-167, the expected outcome of this test is a host crash. If Xen is not vulnerable, the hypercall should fail with -EINVAL.

See also: tests/xsa-167/main.c