[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] Xen Security Advisory 106 - Missing privilege level checks in x86 emulation of software interrupts
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-106 version 2 Missing privilege level checks in x86 emulation of software interrupts UPDATES IN VERSION 2 ==================== Public Release. ISSUE DESCRIPTION ================= The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when a memory operand (implicit for the affected instructions) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones, - - when the guest is in real mode (in which case there are no privilege checks anyway). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest. VULNERABLE SYSTEMS ================== Xen versions from 3.3 onwards are vulnerable. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa106.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa106*.patch 301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270 xsa106.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIWPoAAoJEIP+FMlX6CvZeUAIAIV9TvZK3c6ffMYcWOaeRa+s bSZiFhIzMumnxpJTgCBjqOsQHT5bw1CTf3iW49SBsHly5X/oWJg0ys+shWjBXKl0 SwAkJcywOG3c2ZdxyCJdSM2eQbOhDgympqde7GTTkG29uoqAyAa0kDXn9lBllJPY H7ZIB7K+EA77yxgADH/YO4ZGFWelnUaOb+3qorw3GtdWAVHhhXr4Gnq98vOFnRlU 7JI71KH647gjiBQgdy6Wmkn7q7xsLfpYkxs9YronwyjxxHnEOO3Gx3zkEHHIaio/ YzqQPh96d1FZaO5La8ddhlBDyulDDMVKwLg82rtICD8kWwTtqZHuSFHbTmvC+qs= =rTiy -----END PGP SIGNATURE----- Attachment:
xsa106.patch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |