Xen Test Framework

Advisory: XSA-227

For x86 PV guests, the GNTTABOP_map_grant_ref hypercall allows mapping by nominated linear address, or by nominating a specific L1e. However, there are no alignment checks when nominating a specific L1e, and Xen would write the PTE at the guests chosen alignment, corrupting the L1 pagetable.

In this test, a frame is grant mapped in a way which tries to splice across the L1e mapping the linear addresses at 4K and 8K. If vulnerable, the lower flags of the grant PTE end up overwriting the high user-defined bits of the L1e mapping 4K, with User/Writeable/Present causing reserved bits to be set.

See also