An issue was discovered in Xen through 4.12.x allowing ARM guest OS users
to cause a denial of service via a XENMEM_add_to_physmap hypercall.
p2m->max_mapped_gfn is used by the functions
p2m_resolve_translation_fault() and p2m_get_entry() to sanity check guest
physical frame. The rest of the code in the two functions will assume that
there is a valid root table and check that with BUG_ON(). The function
p2m_get_root_pointer() will ignore the unused top bits of a guest physical
frame. This means that the function p2m_set_entry() will alias the frame.
However, p2m->max_mapped_gfn will be updated using the original frame. It
would be possible to set p2m->max_mapped_gfn high enough to cover a frame
that would lead p2m_get_root_pointer() to return NULL in p2m_get_entry()
and p2m_resolve_translation_fault(). Additionally, the sanity check on
p2m->max_mapped_gfn is off-by-one allowing "highest mapped + 1" to be
considered valid. However, p2m_get_root_pointer() will return NULL. The
problem could be triggered with a specially crafted hypercall
XENMEM_add_to_physmap{, _batch} followed by an access to an address (via
hypercall or direct access) that passes the sanity check but cause
p2m_get_root_pointer() to return NULL. A malicious guest administrator may
cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen
version 4.8 and newer are vulnerable. Only Arm systems are vulnerable. x86
systems are not affected.
mdeslaurhypervisor packages are in universe. For
issues in the hypervisor, add appropriate
tags to each section, ex:
Tags_xen: universe-binary
Source: xen (LP Ubuntu Debian)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 20.04 LTS (Focal Fossa):not-affected (4.11.3+24-g14b62ab3e5-1ubuntu1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (4.11.3+24-g14b62ab3e5-1ubuntu1)
Binaries built from this source package are in universe and so are supported by the community. For more details see
More Information

Updated: 2020-10-24 06:57:33 UTC (commit 69e225d81a6ee3e2e014950178db797c5d4e5009)