From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xen.org security team Subject: Xen Security Advisory 106 - Missing privilege level checks in x86 emulation of software interrupts Date: Tue, 23 Sep 2014 12:14:32 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com Cc: "Xen.org security team" List-Id: xen-devel@lists.xenproject.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-106 version 2 Missing privilege level checks in x86 emulation of software interrupts UPDATES IN VERSION 2 ==================== Public Release. ISSUE DESCRIPTION ================= The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when a memory operand (implicit for the affected instructions) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones, - - when the guest is in real mode (in which case there are no privilege checks anyway). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest. VULNERABLE SYSTEMS ================== Xen versions from 3.3 onwards are vulnerable. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa106.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa106*.patch 301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270 xsa106.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIWPoAAoJEIP+FMlX6CvZeUAIAIV9TvZK3c6ffMYcWOaeRa+s bSZiFhIzMumnxpJTgCBjqOsQHT5bw1CTf3iW49SBsHly5X/oWJg0ys+shWjBXKl0 SwAkJcywOG3c2ZdxyCJdSM2eQbOhDgympqde7GTTkG29uoqAyAa0kDXn9lBllJPY H7ZIB7K+EA77yxgADH/YO4ZGFWelnUaOb+3qorw3GtdWAVHhhXr4Gnq98vOFnRlU 7JI71KH647gjiBQgdy6Wmkn7q7xsLfpYkxs9YronwyjxxHnEOO3Gx3zkEHHIaio/ YzqQPh96d1FZaO5La8ddhlBDyulDDMVKwLg82rtICD8kWwTtqZHuSFHbTmvC+qs= =rTiy -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa106.patch" Content-Disposition: attachment; filename="xsa106.patch" Content-Transfer-Encoding: base64 eDg2ZW11bDogb25seSBlbXVsYXRlIHNvZnR3YXJlIGludGVycnVwdCBpbmpl Y3Rpb24gZm9yIHJlYWwgbW9kZQoKUHJvdGVjdGVkIG1vZGUgZW11bGF0aW9u IGN1cnJlbnRseSBsYWNrcyBwcm9wZXIgcHJpdmlsZWdlIGNoZWNraW5nIG9m CnRoZSByZWZlcmVuY2VkIElEVCBlbnRyeSwgYW5kIHRoZXJlJ3MgY3VycmVu dGx5IG5vIGxlZ2l0aW1hdGUgd2F5IGZvcgphbnkgb2YgdGhlIHJlc3BlY3Rp dmUgaW5zdHJ1Y3Rpb25zIHRvIHJlYWNoIHRoZSBlbXVsYXRvciB3aGVuIHRo ZSBndWVzdAppcyBpbiBwcm90ZWN0ZWQgbW9kZS4KClRoaXMgaXMgWFNBLTEw Ni4KClJlcG9ydGVkLWJ5OiBBbmRyZWkgTFVUQVMgPHZsdXRhc0BiaXRkZWZl bmRlci5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGlj aEBzdXNlLmNvbT4KQWNrZWQtYnk6IEtlaXIgRnJhc2VyIDxrZWlyQHhlbi5v cmc+CgotLS0gYS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYworKysgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYwpAQCAtMjYzNCw2ICsyNjM0LDcgQEAgeDg2X2VtdWxhdGUoCiAgICAg Y2FzZSAweGNkOiAvKiBpbnQgaW1tOCAqLwogICAgICAgICBzcmMudmFsID0g aW5zbl9mZXRjaF90eXBlKHVpbnQ4X3QpOwogICAgIHN3aW50OgorICAgICAg ICBmYWlsX2lmKCFpbl9yZWFsbW9kZShjdHh0LCBvcHMpKTsgLyogWFNBLTEw NiAqLwogICAgICAgICBmYWlsX2lmKG9wcy0+aW5qZWN0X3N3X2ludGVycnVw dCA9PSBOVUxMKTsKICAgICAgICAgcmMgPSBvcHMtPmluamVjdF9zd19pbnRl cnJ1cHQoc3JjLnZhbCwgX3JlZ3MuZWlwIC0gY3R4dC0+cmVncy0+ZWlwLAog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjdHh0KSA/ IDogWDg2RU1VTF9FWENFUFRJT047Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --=separator--