Hi, On Sun, 2008-02-10 at 14:40 +0100, Bastian Blank wrote: > On Sun, Feb 10, 2008 at 06:56:59AM -0600, William Pitcock wrote: > > I'm sorry but I cannot provide evidence because it would involve > > crashing a production machine. Users of said machine are already annoyed > > that it crashed the first time. > > Okay. Where did you run the exploit the first time?
On one of my production servers to see if I was vulnerable. The configuration of which is: * 4 Intel Xeon Processors (old P4 kind) * 4GB RAM * 15 Xen domains I hope that it a useful enough description. > > > The exploit works by altering the memory map (via vmsplice()) to get > > access into kernel space. Since the memory map is altered in the domU, > > it is no longer in sync with the global state. Each domU is aware of the > > state of the other domU's in Xen (at least, this is what the > > documentation tells me, and this would explain why you can't for example > > mix NON-PAE and PAE kernels on x86). If one domU gets out of sync, it > > could cause state corruption in the hypervisor. > > No, this is not correct. The physical-to-machine translation is public > readable. This table is not writable by the domains. The exploit changes > only the Linux page table. > > On a x86_64 machine, it just raises a GPF. Are you sure? Because I'm pretty sure the exploit caused Xen (or at least the dom0) to crash even though it was run in a domU. William
signature.asc
Description: This is a digitally signed message part