When mapping a grant reference, a guest must inform Xen of where it
would like the grant mapped. For PV guests, this is done by nominating
an existing linear address, or an L1 pagetable entry, to be altered.
Neither of these PV paths check for alignment of the passed parameter.
The linear address path suitably truncates the linear address when
calculating the L1 entry to use, but the path which uses a directly
nominated L1 entry performs no checks.
This causes Xen to make an incorrectly-aligned update to a pagetable,
which corrupts both the intended entry and the subsequent entry with
values which are largely guest controlled. If the misaligned value
crosses a page boundary, then an arbitrary other heap page is
A PV guest can elevate its privilege to that of the host.
All versions of Xen are vulnerable.
Only x86 systems are vulnerable.
Any system running untrusted PV guests is vulnerable.
The vulnerability is exposed to PV stub qemu serving as the device model
for HVM guests. Our default assumption is that an HVM guest has
compromised its PV stub qemu. By extension, it is likely that the
vulnerability is exposed to HVM guests which are served by a PV stub
Running only HVM guests, served by a dom0-based qemu, will avoid this
Name: the Xen project
Upstream: Andrew Cooper (Citrix)
Created xen tracking bugs for this issue:
Affects: fedora-all [bug 1481765]