From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xen.org security team Subject: Xen Security Advisory 108 (CVE-2014-7188) - Improper MSR range used for x2APIC emulation Date: Wed, 01 Oct 2014 12:02:57 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com Cc: "Xen.org security team" List-Id: xen-devel@lists.xenproject.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-7188 / XSA-108 version 4 Improper MSR range used for x2APIC emulation UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= The MSR range specified for APIC use in the x2APIC access model spans 256 MSRs. Hypervisor code emulating read and write accesses to these MSRs erroneously covered 1024 MSRs. While the write emulation path is written such that accesses to the extra MSRs would not have any bad effect (they end up being no-ops), the read path would (attempt to) access memory beyond the single page set up for APIC emulation. IMPACT ====== A buggy or malicious HVM guest can crash the host or read data relating to other guests or the hypervisor itself. VULNERABLE SYSTEMS ================== Xen 4.1 and onward are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid this vulnerability. CREDITS ======= This issue was discovered Jan Beulich at SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. xsa108.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa108*.patch cf7ecf4b4680c09e8b1f03980d8350a0e1e7eb03060031788f972e0d4d47203e xsa108.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUK+1fAAoJEIP+FMlX6CvZ6cwH+wdcnTCTdyAMc8bmQv+IxrMN ue5rBYdX0b7CnnC2uCrwPssygna2cxTcVhJsU0eZk5OVrIU5rQ3PKtmFtxMwa3WS my/vtyftTmoxAzftUKgpDFeicmZXlot3aowfRIiIc+GFZ59zAjDL2yQ0xMR1mJio 7SXl+dkcUPj5nXaeK1gFozJ8XNF+wArNQUPv0xUBIg4NSjQyqa7CMCZ5Q3IuJ53S hKY37/MSoOViDORDPkeVr3BoSb7atYZSPwibqEUjeL5f+eXyVkbD0MkLQgu1ERtZ p+dc+DTaRYm77LrDM+npZ+j1uSoVqdVzXtNYe6GZmbNRVXjbhJ+gJyJBcpy/a5Q= =m0tK -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa108.patch" Content-Disposition: attachment; filename="xsa108.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogcHJvcGVybHkgYm91bmQgeDJBUElDIE1TUiByYW5nZQoKV2hp bGUgdGhlIHdyaXRlIHBhdGggY2hhbmdlIGFwcGVhcnMgdG8gYmUgcHVyZWx5 IGNvc21ldGljIChidXQgc3RpbGwKZ2V0cyBkb25lIGhlcmUgZm9yIGNvbnNp c3RlbmN5KSwgdGhlIHJlYWQgc2lkZSBtaXN0YWtlIHBlcm1pdHRlZAphY2Nl c3NlcyBiZXlvbmQgdGhlIHZpcnR1YWwgQVBJQyBwYWdlLgoKTm90ZSB0aGF0 IHdoaWxlIHRoaXMgaXNuJ3QgZnVsbHkgaW4gbGluZSB3aXRoIHRoZSBzcGVj aWZpY2F0aW9uCihkaWdlc3RpbmcgTVNScyAweDgwMC0weEJGRiBmb3IgdGhl IHgyQVBJQyksIHRoaXMgaXMgdGhlIG1pbmltYWwKcG9zc2libGUgZml4IGFk ZHJlc3NpbmcgdGhlIHNlY3VyaXR5IGlzc3VlIGFuZCBnZXR0aW5nIHgyQVBJ QyByZWxhdGVkCmNvZGUgaW50byBhIGNvbnNpc3RlbnQgc2hhcGUgKGVsc2V3 aGVyZSBhIDI1NiByYXRoZXIgdGhhbiAxMDI0IHdpZGUKd2luZG93IGlzIGJl aW5nIHVzZWQgdG9vKS4gVGhpcyB3aWxsIGJlIGRlYWx0IHdpdGggc3Vic2Vx dWVudGx5LgoKVGhpcyBpcyBYU0EtMTA4LgoKU2lnbmVkLW9mZi1ieTogSmFu IEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVuL2FyY2gv eDg2L2h2bS9odm0uYworKysgYi94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCkBA IC00MzgwLDcgKzQzODAsNyBAQCBpbnQgaHZtX21zcl9yZWFkX2ludGVyY2Vw dCh1bnNpZ25lZCBpbnQgCiAgICAgICAgICptc3JfY29udGVudCA9IHZjcHVf dmxhcGljKHYpLT5ody5hcGljX2Jhc2VfbXNyOwogICAgICAgICBicmVhazsK IAotICAgIGNhc2UgTVNSX0lBMzJfQVBJQ0JBU0VfTVNSIC4uLiBNU1JfSUEz Ml9BUElDQkFTRV9NU1IgKyAweDNmZjoKKyAgICBjYXNlIE1TUl9JQTMyX0FQ SUNCQVNFX01TUiAuLi4gTVNSX0lBMzJfQVBJQ0JBU0VfTVNSICsgMHhmZjoK ICAgICAgICAgaWYgKCBodm1feDJhcGljX21zcl9yZWFkKHYsIG1zciwgbXNy X2NvbnRlbnQpICkKICAgICAgICAgICAgIGdvdG8gZ3BfZmF1bHQ7CiAgICAg ICAgIGJyZWFrOwpAQCAtNDUwNiw3ICs0NTA2LDcgQEAgaW50IGh2bV9tc3Jf d3JpdGVfaW50ZXJjZXB0KHVuc2lnbmVkIGludAogICAgICAgICB2bGFwaWNf dGR0X21zcl9zZXQodmNwdV92bGFwaWModiksIG1zcl9jb250ZW50KTsKICAg ICAgICAgYnJlYWs7CiAKLSAgICBjYXNlIE1TUl9JQTMyX0FQSUNCQVNFX01T UiAuLi4gTVNSX0lBMzJfQVBJQ0JBU0VfTVNSICsgMHgzZmY6CisgICAgY2Fz ZSBNU1JfSUEzMl9BUElDQkFTRV9NU1IgLi4uIE1TUl9JQTMyX0FQSUNCQVNF X01TUiArIDB4ZmY6CiAgICAgICAgIGlmICggaHZtX3gyYXBpY19tc3Jfd3Jp dGUodiwgbXNyLCBtc3JfY29udGVudCkgKQogICAgICAgICAgICAgZ290byBn cF9mYXVsdDsKICAgICAgICAgYnJlYWs7Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --=separator--