From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xen.org security team Subject: Xen Security Advisory 105 - Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation Date: Tue, 23 Sep 2014 12:14:28 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com Cc: "Xen.org security team" List-Id: xen-devel@lists.xenproject.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-105 version 2 Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation UPDATES IN VERSION 2 ==================== Public Release. Convert patch line endings from DOS to Unix style. ISSUE DESCRIPTION ================= The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when the instruction's memory operand (if any) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones. Malicious guest user mode code may be able to leverage this to install e.g. its own Interrupt Descriptor Table (IDT). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest or escalate its own privilege to guest kernel mode. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2.x onwards are vulnerable. Older versions have not been inspected. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa105.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa105*.patch dfb5ede7cc5609a812a7b1239479cefd387f9f9c8c25e11e64199bc592ad7e39 xsa105.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIWPjAAoJEIP+FMlX6CvZu8UIAIQ9G7ms9bLRy75r3tYBTaW4 /Gwc3jYWy5rBsDF8gwtbMfVCVFqLXJbzb3RzTuQqCI/3D3F5s1VgMEm9rrG6DK+R e+czy4ceT1jTbWvSO1xGOY/eRHCY88PQ0BAQqBCMjurLXc25oUFiP0WogOX5Kwpu 1ASU6nQjZYjHruohHzgY0L6GJL27Ik1/4jNG/Min52dMxzp92Kn9rRtYR2kjwNin 20mftHsuzD3YpNIoAdcgBLx8A611ISkvia2uFXZyJEDLsDVqhdNUSGH3Qo0d1ISO eFVL3X6WDYPZuJhNPbPfT93GeMI73b+ryFovYggPEZ/to9D0hrf4KaQmnbbqch8= =OoOJ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa105.patch" Content-Disposition: attachment; filename="xsa105.patch" Content-Transfer-Encoding: base64 eDg2L2VtdWxhdGU6IGNoZWNrIGNwbCBmb3IgYWxsIHByaXZpbGVnZWQgaW5z dHJ1Y3Rpb25zCgpXaXRob3V0IHRoaXMsIGl0IGlzIHBvc3NpYmxlIGZvciB1 c2Vyc3BhY2UgdG8gbG9hZCBpdHMgb3duIElEVCBvciBHRFQuCgpUaGlzIGlz IFhTQS0xMDUuCgpSZXBvcnRlZC1ieTogQW5kcmVpIExVVEFTIDx2bHV0YXNA Yml0ZGVmZW5kZXIuY29tPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogSmFu IEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJl aSBMVVRBUyA8dmx1dGFzQGJpdGRlZmVuZGVyLmNvbT4KCi0tLSBhL3hlbi9h cmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jCisrKyBiL3hlbi9h cmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jCkBAIC0zMzE0LDYg KzMzMTQsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgZ290byBzd2ludDsK IAogICAgIGNhc2UgMHhmNDogLyogaGx0ICovCisgICAgICAgIGdlbmVyYXRl X2V4Y2VwdGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwogICAg ICAgICBjdHh0LT5yZXRpcmUuZmxhZ3MuaGx0ID0gMTsKICAgICAgICAgYnJl YWs7CiAKQEAgLTM3MTAsNiArMzcxMSw3IEBAIHg4Nl9lbXVsYXRlKAogICAg ICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgMjogLyogbGdkdCAqLwog ICAgICAgICBjYXNlIDM6IC8qIGxpZHQgKi8KKyAgICAgICAgICAgIGdlbmVy YXRlX2V4Y2VwdGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwog ICAgICAgICAgICAgZ2VuZXJhdGVfZXhjZXB0aW9uX2lmKGVhLnR5cGUgIT0g T1BfTUVNLCBFWENfVUQsIC0xKTsKICAgICAgICAgICAgIGZhaWxfaWYob3Bz LT53cml0ZV9zZWdtZW50ID09IE5VTEwpOwogICAgICAgICAgICAgbWVtc2V0 KCZyZWcsIDAsIHNpemVvZihyZWcpKTsKQEAgLTM3MzgsNiArMzc0MCw3IEBA IHg4Nl9lbXVsYXRlKAogICAgICAgICBjYXNlIDY6IC8qIGxtc3cgKi8KICAg ICAgICAgICAgIGZhaWxfaWYob3BzLT5yZWFkX2NyID09IE5VTEwpOwogICAg ICAgICAgICAgZmFpbF9pZihvcHMtPndyaXRlX2NyID09IE5VTEwpOworICAg ICAgICAgICAgZ2VuZXJhdGVfZXhjZXB0aW9uX2lmKCFtb2RlX3JpbmcwKCks IEVYQ19HUCwgMCk7CiAgICAgICAgICAgICBpZiAoIChyYyA9IG9wcy0+cmVh ZF9jcigwLCAmY3IwLCBjdHh0KSkgKQogICAgICAgICAgICAgICAgIGdvdG8g ZG9uZTsKICAgICAgICAgICAgIGlmICggZWEudHlwZSA9PSBPUF9SRUcgKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --=separator--