Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Virtualization, especially with hypervisors in place, needs to ensure that no assets leak from one virtual machine to the other or from the hypervisor to the virtual machine. Failure to do so may result in vm escapes or cross-box contamination.

In the mainline Linux kernel for 5.18-rc1 to 5.19-rc6, statically allocated .bss (block starting symbol) were not being cleared upon moving between XenPV guests and hosts. Because of this, a virtual machine guest connecting to the Xen IOMMU could access restricted memory. This can be done by calling kexec() from the guest.

This appears to be a regression issue while attempting to add support for the hypervisor. The proof of concept has a simply NULL pointer dereference but could be much worse.

Overall, an interesting and impactful bug. But, I wish the explaination in the article was easier to understand. The proof of concept is just a crash log and doesn't say how this was triggered.