Vigil@nce - Xen: unreachable memory reading via iret
June 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker who controls the guest kernel can use a "return from
interrupt handler" under Xen, in order to trigger a denial of
service.
Impacted products: XenServer, Debian, Fedora, openSUSE, SUSE Linux
Enterprise Desktop, SLES, Xen
Severity: 1/4
Creation date: 12/06/2015
DESCRIPTION OF THE VULNERABILITY
The machine instruction IRET is privileged, and so any attempt to
use it is translated to a call to the hypervisor Xen.
However, the function compat_iret() which emulates this
instruction, goes though a loop in the reverse way. This leads to
about 2^33 pages faults, the processing of which will make the
host server hang.
An attacker who controls the guest kernel can therefore use a
"return from interrupt handler" under Xen, in order to trigger a
denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-unreachable-memory-reading-via-iret-17119