kernel: xen: CVE-2011-2901

[Petr Matousek <pmatouse () redhat com>]

CVE-2011-2901 kernel: xen: off-by-one shift in x86_64 __addr_ok()

The x86_64 __addr_ok() macro intends to ensure that the checked address
is either in the positive half of the 48-bit virtual address space, or
above the Xen-reserved area. However, the current shift count is
off-by-one, allowing full access to the "negative half" too, via
certain hypercalls which ignore virtual-address bits [63:48]. 

As a result, a malicious guest administrator on a vulnerable system is
able to crash the host.

Upstream status: 
This issue only affects very old hypervisors, Xen 3.3 and earlier.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=728042

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team