[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen Security Advisory 7 (CVE-2012-0217) - PV privilege escalation

On Tue, 2012-06-12 at 13:15 +0100, Andy Smith wrote:
> Hello,
> 
> A quick question with regard to XSA-7:
> 
> On Tue, Jun 12, 2012 at 01:02:32PM +0100, Xen.org security team wrote:
> > MITIGATION
> > ==========
> > 
> > This issue can be mitigated by running HVM (fully-virtualised)
> > or 32 bit PV guests only.
> 
> Assuming 64-bit hypervisor and dom0, with PV guests booted using
> pygrub, is there any way to restrict guests to 32-bit only?

Nothing which has been implemented but a couple of ideas which spring to
my mind, in no particular order:

      * A wrapper around pygrub to vet the kernel which it has
        extracted. I think this is a case of checking the machine type
        specified in the kernel's ELF header (and that it really is ELF
        etc etc).
      * Patch tools/libxc/xc_dom_x86.c to remove the
        xc_dom_register_arch_hooks call for xc_dom_64.
      * Use XSM to deny XEN_DOMCTL_set_address_size (I'm not sure how
        this stuff works).

Realistically the only robust way (i.e. the one which you could be most
sure of doing it's job properly with the least possibility of a sneakily
constructed kernel getting around the validation routines etc.) would be
to do it in the hypervisor, at which point you might as well just apply
the fix.

Ian.



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.