Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce - Xen: denial of service via non canonical instruction pointer

March 2016 by Vigil@nce

This bulletin was written by Vigil@nce : https://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker in a guest system can map code at non canonical
virtual addresses, in order to trigger a fatal exception in Xen
and then a denial of service against the guest.

Impacted products: Fedora, Xen.

Severity: 1/4.

Creation date: 17/02/2016.

DESCRIPTION OF THE VULNERABILITY

The Xen product is an hypervisor targeting mainly x86
architectures. It can use the virtualization specific instruction
set in 64 hosts.

In the case of a 64 bits guest system with hardware assisted
virtualization, the instruction VMENTRY used to restart a virtual
machine requires that the instruction pointer be canonical, i.e.
the most significant bits which are not related to bits in
physical addresses (the length of which is lower than 64 bits) are
either all 0 or all 1. Otherwise, the processor trigger an
exception, the handling of which by Xen will terminate the guest
system. Instruction pointers are controlled by user processes if
the guest system allow user processes to choose which virtual
addresses they use, as with the mmap POSIX call.

An attacker in a guest system can therefore map code at non
canonical virtual addresses, in order to trigger a fatal exception
in Xen and then a denial of service against the guest.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

https://vigilance.fr/vulnerability/Xen-denial-of-service-via-non-canonical-instruction-pointer-18967


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts