[kernel-xen] Xen Security Advisory 112 (CVE-2014-8867) - Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor

[Steven Haigh]

            Xen Security Advisory CVE-2014-8867 / XSA-112
                              version 5

  Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor

UPDATES IN VERSION 5
====================

Public release.

ISSUE DESCRIPTION
=================

Acceleration support for the "REP MOVS" instruction, when the first
iteration accesses memory mapped I/O emulated internally in the
hypervisor, incorrectly assumes that the whole range accessed is
handled by the same hypervisor sub-component.

IMPACT
======

A buggy or malicious HVM guest can crash the host.

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2.x onwards are vulnerable on x86 systems.
Older versions have not been inspected.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

  xen-4.2: Thu Nov 27 2014 Steven Haigh <netwiz at crc.id.au> - 4.2.5-7
- XSA-111 (CVE-2014-8866) Excessive checking in compatibility mode
hypercall argument translation
- XSA-112 (CVE-2014-8867) Insufficient bounding of "REP MOVS" to MMIO
emulated inside the hypervisor


  xen44-4.4: Thu Nov 27 2014 Steven Haigh <netwiz at crc.id.au> - 4.4.1-7
- XSA-111 (CVE-2014-8866) Excessive checking in compatibility mode
hypercall argument translation
- XSA-112 (CVE-2014-8867) Insufficient bounding of "REP MOVS" to MMIO
emulated inside the hypervisor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20141128/15b5b0f8/attachment.sig>