[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] Xen Security Advisory 7 (CVE-2012-0217) - PV privilege escalation
On Tue, 2012-06-12 at 13:15 +0100, Andy Smith wrote:
> A quick question with regard to XSA-7:
> On Tue, Jun 12, 2012 at 01:02:32PM +0100, Xen.org security team wrote:
> > MITIGATION
> > ==========
> > This issue can be mitigated by running HVM (fully-virtualised)
> > or 32 bit PV guests only.
> Assuming 64-bit hypervisor and dom0, with PV guests booted using
> pygrub, is there any way to restrict guests to 32-bit only?
Nothing which has been implemented but a couple of ideas which spring to
my mind, in no particular order:
* A wrapper around pygrub to vet the kernel which it has
extracted. I think this is a case of checking the machine type
specified in the kernel's ELF header (and that it really is ELF
* Patch tools/libxc/xc_dom_x86.c to remove the
xc_dom_register_arch_hooks call for xc_dom_64.
* Use XSM to deny XEN_DOMCTL_set_address_size (I'm not sure how
this stuff works).
Realistically the only robust way (i.e. the one which you could be most
sure of doing it's job properly with the least possibility of a sneakily
constructed kernel getting around the validation routines etc.) would be
to do it in the hypervisor, at which point you might as well just apply
Xen-devel mailing list