Xen Test Framework

Advisory: XSA-212

The XENMEM_exchange hypercall previously had incomplete checks on the safety of the parameters passed. XENMEM_exchange takes an input and output array of gfns, along with a count of how many requests have been completed thus far (in the case that continuation needs to occur).

Xen only checked the base of the array, not the current access in the array, for safety. This would have been safe had Xen worked all the way from 0, because hitting the non-canonical region would have aborted the hypercall midway through. However, nothing stops a crafty guest from faking up a single-entry exchange which appears to be a very long way into a large array.

Construct such an exchange, with the output array set up to clobber the first 8 bytes of the IDT. If vulnerable, Xen will write junk over its #DE handler; an exception which is trivial to trigger. As #DE is a contributory exception, it will escalate to #DF and cause Xen to crash.

See also