[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] PV privilege escalation - advisory



On Thu, 2012-06-14 at 23:40 +0100, Florian Heigl wrote:
> I'd also love to know if this instruction is available if VT is disabled.

The sysret instruction is nothing to do with HVM/VT etc (and predates
it) and cannot (AFAIK) be disabled and certainly not by turning off VT.

However the hypervisor won't use the sysret instruction to return to the
guest so there is no way for an HVM guest to exploit this particular
issue.

> Basically, I run ~25 PV Linux domUs none of which has an old kernel and 1 HVM.
> (A FreeBSD box, with a user that I do not have to worry about)
> 
> A malicious user could probably remove the bugfix from his linux
> kernel version and have a happy ride again, so this, well, sucks.
> 
> Flipping something in BIOS would make me a lot happier.
> 
> 
> 2012/6/14 Jonathan Tripathy <jonnyt@xxxxxxxxxxx>:
> 
> 
> >>>  From a brief look this vulnerability does not impact the hypervisor..
> >>> right ?
> >>
> >> The bug is on the hypervisor as well:
> >> https://bugzilla.redhat.com/show_bug.cgi?id=813428
> >>
> >>
> > My understanding is that this is *only* a hypervisor issue, *not* a kernel
> > issue. The only reason why an updated RHEL kernel-xen package fixes this, is
> > because the kernel-xen package includes the Xen hypervisor. I've always
> > thought the RHEL package name "kernel-xen" was misleading. They should have
> > called it something like "xen-server" or something.
> >
> > Please someone correct me if I'm wrong
> 
> Don't know :>

The RH kernel-xen package contains both the kernel and the hypervisor in
a single package (presumably in some way matched for supportability
purposes).

This issue is only a hypervisor issue, fixing the hypervisor means you
don't need to worry/care about guest kernels etc.

There is some confusion around this because the same issue also effects
some baremetal operating systems. Baremetal Linux was fixed in 2005,
which helps add a (small) hurdle to guest users exploiting the issue.
You need to trust your guest kernels because a malicious guest admin
could unpatch their kernel in order to exploit this on a system running
a vulnerable hypevisor.

I hope that's made things clearer rather than more confusing...

Ian.


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.