Red Hat Bugzilla – Bug 658155
CVE-2010-4255 xen: 64-bit PV xen guest can crash host by accessing hypervisor per-domain memory area
Last modified: 2015-08-19 05:00:14 EDT
The bug description and patch in upstream xen-devel mailing list: http://lists.xensource.com/archives/html/xen-devel/2010-11/msg01650.html
handle_gdt_ldt_mapping_fault() is intended to deal with indirect accesses (i.e. those caused by descriptor loads) to the GDT/LDT mapping area only. While for 32-bit segment limits indeed prevent the function being entered for direct accesses (i.e. a #GP fault will be raised even before the address translation gets done, on 64-bit even user mode accesses would lead to control reaching the BUG_ON() at the beginning of that function.
Fortunately the fix is simple: Since the guest kernel runs in ring 3, any guest direct access will have the "user mode" bit set, whereas descriptor loads always do the translations to access the actual descriptors as kernel mode ones.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html