Mailing List Archive

Xen Security Advisory 260 (CVE-2018-8897) - x86: mishandling of debug exceptions
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Xen Security Advisory CVE-2018-8897 / XSA-260
version 2

x86: mishandling of debug exceptions

UPDATES IN VERSION 2
====================

Public release.

Updated .meta file

ISSUE DESCRIPTION
=================

When switching stacks, it is critical to have a matching stack segment
and stack pointer. To allow an atomic update from what would otherwise
be two adjacent instructions, an update which changes the stack segment
(either a mov or pop instruction with %ss encoded as the destination
register) sets the movss shadow for one instruction.

The exact behaviour of the movss shadow is poorly understood.

In practice, a movss shadow delays some debug exceptions (e.g. from a
hardware breakpoint) until the subsequent instruction has completed. If
the subsequent instruction normally transitions to supervisor mode
(e.g. a system call), then the debug exception will be taken after the
transition to ring0 is completed.

For most transitions to supervisor mode, this only confuses Xen into
printing a lot of debugging information. For the syscall instruction
however, the exception gets taken before the syscall handler can move
off the guest stack.

IMPACT
======

A malicious PV guest can escalate their privilege to that of the
hypervisor.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only x86 systems are vulnerable. ARM systems are not vulnerable.

Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH
guests cannot exploit the vulnerability.

An attacker needs to be able to control hardware debugging facilities to
exploit the vulnerability, but such permissions are typically available
to unprivileged users.

MITIGATION
==========

Running only HVM or PVH guests avoids the vulnerability.

Note however that a compromised device model (running in dom0 or a
stub domain) can carry out this attack, so users with HVM domains are
also advised to patch their systems.

CREDITS
=======

This issue was discovered by Andy Lutomirski, and Nick Peterson of Everdox
Tech LLC.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa260-unstable/*.patch xen-unstable
xsa260-4.10/*.patch Xen 4.10.x
xsa260-4.9/*.patch Xen 4.9.x
xsa260-4.8/*.patch Xen 4.8.x
xsa260-4.7/*.patch Xen 4.7.x
xsa260-4.6/*.patch Xen 4.6.x

$ sha256sum xsa260* xsa260*/*
f436009ea6d6a30cf9c316e909dcd260c223264884d2e4fc5b74bdaf2e515815 xsa260.meta
0f7e3cfecc59986fc950694bba7bb31ee9680b2390920335d6853fdf83ded9ef xsa260-unstable/xsa260-1.patch
4df5b9d05a8f02754b1e819b8cad35b3da9ba7fcdaee0fc762d572481ef69f93 xsa260-unstable/xsa260-2.patch
5c3f9cbc777ed7a93a97a4665e0188e1b1a05dd057da830203e018c73e9e5ce7 xsa260-unstable/xsa260-3.patch
4b280ec02418f30f0576e84f23ae565acee4fcc2d398b3828c1e12d9346583af xsa260-unstable/xsa260-4.patch
2c5ce2851351a40df9ed17fae3c6f7505dcda60209945321b545b6b6e4f065cb xsa260-4.6/xsa260-1.patch
bfa2eb161f570b0295464ef41fc5add52e10853a1ec81de107f1a9deb945982f xsa260-4.6/xsa260-2.patch
2f30c4fbebeb77da50caff62a0f28d3afe8993bee19233543170f1955cebdcbc xsa260-4.6/xsa260-3.patch
363af89377d5819ad1450c8806824707d3e15700c179129aed62128e62ab1a0e xsa260-4.6/xsa260-4.patch
0c2552a36737975f4f46d7054b49fd018b68c302cef3b39b27c2f17cc60eb531 xsa260-4.7/xsa260-1.patch
a92ef233a83923d6a18d51528ff28630ae3f1134ee76f2347397e22da9c84c24 xsa260-4.7/xsa260-2.patch
8469af8ba5b6722738b27c328eccc1d341af49c2e2bb23fe7b327a3349267b0e xsa260-4.7/xsa260-3.patch
0327c2ef7984a4aa000849c68a01181fdb01962637e78629c6fb34bb95414a74 xsa260-4.7/xsa260-4.patch
a9be346f111bca3faf98045c089638ba960f291eb9ace03e8922d7b4f8a9b37e xsa260-4.8/xsa260-1.patch
740c0ee49936430fdf66ae8b75f9f51fe728c71a7c7a56667f845aea7669d344 xsa260-4.8/xsa260-2.patch
94dbb7ad7d409f9170950162904247c7cf0e360cec2a0a1f1a6653ce9ca43283 xsa260-4.8/xsa260-3.patch
db440d76685cf1e8c332aea2aa13e6be43b1b7f68d9225dfe99bb2ee12e18b9e xsa260-4.8/xsa260-4.patch
11b55f664a4043ed3a79d3e1a07877c68c8c19df6112feffdac1e55547f0002e xsa260-4.9/xsa260-1.patch
38a762f8cf8db763d70f1ef35a4c2cac23282b694527a97b2eaf100a14f767eb xsa260-4.9/xsa260-2.patch
18d9ffd273bdbd070e1b613e7f18ed21cdb874dba5f7964e14bb4a3dbc8844ec xsa260-4.9/xsa260-3.patch
c3d689d581c2ce6beaaa9d955f159a3b5da8007a24a08969b0953e89491f15a5 xsa260-4.9/xsa260-4.patch
ffac7ab75bf65f8286b37d21cb4a4401d898670a4e52af88d8202ce4fe66edef xsa260-4.10/xsa260-1.patch
fe85832a9b5b1076b3a9bdbd28a2f3be57cd019d66a725ce64698b1bd74145a8 xsa260-4.10/xsa260-2.patch
1955aed73828e23da871ef10e5ec49670ce59bdd06af2772e978f8e817e0319f xsa260-4.10/xsa260-3.patch
8f504f8fcf100f8a00bece9c4df8b8933dceeaf29b50492317f9cbf74aaf4aa4 xsa260-4.10/xsa260-4.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJa8dQdAAoJEIP+FMlX6CvZwp4H/AxlMq1xyIAiDNGEESGlJpQh
Y0dD9I1dLraUr2tTpaDZM4qUjV2cQ5MRaFeiAxDVCNraNPTLeC5TRStkIMHWc3jK
C8/XzRq0lDdebQA04Usj7648HbtAoxkAV1SOOxsqPSBRHb1jPpa2/jvuA3BzCl+o
gZo0urWinKlIJ032KWOd/9j96M0YgqqdJ+h2bfSg5uBSdXcQ6at5nYc1T4s3fi2R
AQvs8aQ/yylKVsCit+AypcyOMRELNA2jHWEelZ7L18zMGHwTa9qt1NZAL+VM2pMW
SKNphOdrCJxVZdGMJlc6ujzxUBgUC7qdfsqprBrKi/4eT+K5I9CvfV21er+7+BA=
=0+sm
-----END PGP SIGNATURE-----