4.7 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:N/A:C
0.001 Low
EPSS
Percentile
28.1%
guest_physmap_mark_populate_on_demand(), before carrying out its actual operation, checks that the subject GFNs are not in use. If that check fails, the code prints a message and bypasses the gfn_unlock() matching the gfn_lock() carried out before entering the loop.
Further, the function is exposed to the use of guests on their own behalf. While we believe that this does not cause any further issues, we have not conducted a thorough enough review to be sure. Rather, it should be exposed only to privileged domains.
A malicious guest administrator can cause Xen to hang.
All Xen version from 3.4 on are vulnerable.
The vulnerability is only exposed by HVM guests.