ISSUE DESCRIPTION
=================
The function `alloc_heap_pages` allows callers to specify the first
NUMA node that should be used for allocations through the `memflags`
parameter; the node is extracted using the `MEMF_get_node` macro.
While the function checks to see if the special constant
`NUMA_NO_NODE` is specified, it otherwise does not handle the case
where `node >= MAX_NUMNODES`. This allows an out-of-bounds access
to an internal array.
IMPACT
======
An attacker using crafted hypercalls can execute arbitrary code within
Xen.
VULNERABLE SYSTEMS
==================
All versions of Xen are affected.
Both ARM and x86 are affected.
Both systems running HVM guests and system running PV guests are
affected.
MITIGATION
==========
No known mitigation.
External References:
http://xenbits.xen.org/xsa/advisory-231.html