Xen Test Framework
|
Advisory: XSA-298
The pv32 ABI allows the use of call gates, because in the days of 32bit CPUs with 4 full rings of protection, they really did work. When 64bit CPUs came along, the use of call gates was restricted to only targeting 64bit code segments. Therefore, a 64bit Xen running a 32bit PV guest has to emulate call gates to maintain the pv32 ABI.
The emulation bug is that the LDT limit, as set by the kernel, isn't respected.
Crafty userspace can therefore use two properties of Xen:
1) LDT frames undergo type promotion on first use, rather than up-front at context switch time. 2) The way a guest kernel indicates "no LDT" to Xen is to set its linear address to 0.
and the common behaviour that no-one uses LDTs these days to escalate its privileges into the guest kernel.
It does so by writing a suitable looking gate somewhere in the range 0 to 64k, remapping the gate as read-only (so it will successfully type promote), then attempting to use the gate via the LDT.
Xen's emulation skips the LDT limit check (which should be 0, and disallow the LDT reference), finds a read-only frame which successfully promotes to being a seg-desc frame, then proceeds to emulate the call itself.