The x86_64 __addr_ok() macro intends to ensure that the checked address is either in the positive half of the 48-bit virtual address space, or above the Xen-reserved area. However, the current shift count is off-by-one, allowing full access to the "negative half" too, via certain hypercalls which ignore virtual-address bits [63:48]. As a result, a malicious guest administrator on a vulnerable system is able to crash the host. There are no known further exploits but these have not been ruled out.
Statement: The versions of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 6, and Red Hat Enterprise MRG are not affected. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2011-1212.html.
Created attachment 521288 [details] upstream patch From the upstream advisory: http://www.openwall.com/lists/oss-security/2011/09/02/2
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:1212 https://rhn.redhat.com/errata/RHSA-2011-1212.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5.6.Z - Server Only Via RHSA-2011:1813 https://rhn.redhat.com/errata/RHSA-2011-1813.html
Created xen tracking bugs for this issue Affects: fedora-all [bug 798934]