Xen VM Escape

[Alan Hikerell <hikerell () gmail com>]

Xen XSA-148(http://xenbits.xen.org/xsa/advisory-148.html) is the real VM
Escape Vulnerability

XSA-148 is public just now and it's a memory management logic vulnerability
obviously.
The bulletin means that a micious PV DomU could enable PS/RW flag of its
PDE to read/write the 2M page.
So, if a attacker prepare a page table at the 2M page, he could use the
vulnerability to modify the PT.
Finally, this vulnerability changes to a arbitrary machine memory
read/write vulnerability.

-- 
hikerell

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/