On Sun, Feb 10, 2008 at 06:56:59AM -0600, William Pitcock wrote: > I'm sorry but I cannot provide evidence because it would involve > crashing a production machine. Users of said machine are already annoyed > that it crashed the first time.
Okay. Where did you run the exploit the first time? > The exploit works by altering the memory map (via vmsplice()) to get > access into kernel space. Since the memory map is altered in the domU, > it is no longer in sync with the global state. Each domU is aware of the > state of the other domU's in Xen (at least, this is what the > documentation tells me, and this would explain why you can't for example > mix NON-PAE and PAE kernels on x86). If one domU gets out of sync, it > could cause state corruption in the hypervisor. No, this is not correct. The physical-to-machine translation is public readable. This table is not writable by the domains. The exploit changes only the Linux page table. On a x86_64 machine, it just raises a GPF. Bastian -- Vulcans believe peace should not depend on force. -- Amanda, "Journey to Babel", stardate 3842.3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]