Xen Test Framework

Advisory: XSA-183

This vulnerability only affects hardware supporting SMAP (Intel Broadwell/AMD Zen or later) on Xen 4.5 or later (due to the addition of software support to enable and use SMAP).

Supervisor Mode Access Prevention is a hardware feature whereby an Operating System can opt-in to more strict pagetable requirements, designed to make it more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting.

In Xen, compat_create_bounce_frame() is the function with the purpose of creating an exception/interrupt frame on a guest stack (matching what hardware would normally do).

32bit PV guest kernels, running in ring1, normally run on supervisor mappings. However, the guest kernel is in control of its own stack pointer, so nothing stops the kernel putting %esp over a user mapping.

Under those circumstances if compat_create_bounce_frame() is invoked, it will (legitimately) try to create an exception frame on the kernel stack. If SMAP is enabled and the accesses are not whitelisted, Xen takes a fatal pagefault and crashes.

If vulnerable, Xen will crash citing a fatal SMAP fault in compat_create_bounce_frame(). If not vulnerable, the test will exit cleanly.

See also