-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory XSA-106
version 2
Missing privilege level checks in x86 emulation of software interrupts
UPDATES IN VERSION 2
====================
Public Release.
ISSUE DESCRIPTION
=================
The emulation of instructions which generate software interrupts fails
to perform supervisor mode permission checks.
However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when a memory operand (implicit for the affected instructions) lives
in (emulated or passed through) memory mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
instruction is (in execution flow) within four instructions of one
doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
and the guest then (likely maliciously) alters the instruction to
become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
checks anyway).
IMPACT
======
Malicious HVM guest user mode code may be able to crash the guest.
VULNERABLE SYSTEMS
==================
Xen versions from 3.3 onwards are vulnerable.
Only user processes in HVM guests can take advantage of this
vulnerability.
MITIGATION
==========
Running only PV guests will avoid this issue.
There is no mitigation available for HVM guests.
CREDITS
=======
This issue was discovered Andrei Lutas at BitDefender and analyzed by
Andrew Cooper at Citrix.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa106.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa106*.patch
301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270 xsa106.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJUIWPoAAoJEIP+FMlX6CvZeUAIAIV9TvZK3c6ffMYcWOaeRa+s
bSZiFhIzMumnxpJTgCBjqOsQHT5bw1CTf3iW49SBsHly5X/oWJg0ys+shWjBXKl0
SwAkJcywOG3c2ZdxyCJdSM2eQbOhDgympqde7GTTkG29uoqAyAa0kDXn9lBllJPY
H7ZIB7K+EA77yxgADH/YO4ZGFWelnUaOb+3qorw3GtdWAVHhhXr4Gnq98vOFnRlU
7JI71KH647gjiBQgdy6Wmkn7q7xsLfpYkxs9YronwyjxxHnEOO3Gx3zkEHHIaio/
YzqQPh96d1FZaO5La8ddhlBDyulDDMVKwLg82rtICD8kWwTtqZHuSFHbTmvC+qs=
=rTiy
-----END PGP SIGNATURE-----
Hash: SHA1
Xen Security Advisory XSA-106
version 2
Missing privilege level checks in x86 emulation of software interrupts
UPDATES IN VERSION 2
====================
Public Release.
ISSUE DESCRIPTION
=================
The emulation of instructions which generate software interrupts fails
to perform supervisor mode permission checks.
However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when a memory operand (implicit for the affected instructions) lives
in (emulated or passed through) memory mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
instruction is (in execution flow) within four instructions of one
doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
and the guest then (likely maliciously) alters the instruction to
become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
checks anyway).
IMPACT
======
Malicious HVM guest user mode code may be able to crash the guest.
VULNERABLE SYSTEMS
==================
Xen versions from 3.3 onwards are vulnerable.
Only user processes in HVM guests can take advantage of this
vulnerability.
MITIGATION
==========
Running only PV guests will avoid this issue.
There is no mitigation available for HVM guests.
CREDITS
=======
This issue was discovered Andrei Lutas at BitDefender and analyzed by
Andrew Cooper at Citrix.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa106.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa106*.patch
301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270 xsa106.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJUIWPoAAoJEIP+FMlX6CvZeUAIAIV9TvZK3c6ffMYcWOaeRa+s
bSZiFhIzMumnxpJTgCBjqOsQHT5bw1CTf3iW49SBsHly5X/oWJg0ys+shWjBXKl0
SwAkJcywOG3c2ZdxyCJdSM2eQbOhDgympqde7GTTkG29uoqAyAa0kDXn9lBllJPY
H7ZIB7K+EA77yxgADH/YO4ZGFWelnUaOb+3qorw3GtdWAVHhhXr4Gnq98vOFnRlU
7JI71KH647gjiBQgdy6Wmkn7q7xsLfpYkxs9YronwyjxxHnEOO3Gx3zkEHHIaio/
YzqQPh96d1FZaO5La8ddhlBDyulDDMVKwLg82rtICD8kWwTtqZHuSFHbTmvC+qs=
=rTiy
-----END PGP SIGNATURE-----
Attached Files:
-
xsa106.patch (0.90 KB)