[kernel-xen] Xen Security Advisory 66 (CVE-2013-4361) - Information leak through fbld instruction emulation

[Steven Haigh]

              Xen Security Advisory CVE-2013-4361 / XSA-66
                              version 3

           Information leak through fbld instruction emulation

UPDATES IN VERSION 3
====================

Public Release.

ISSUE DESCRIPTION
=================

The emulation of the fbld instruction (which is used during I/O
emulation) uses the wrong variable for the source effective address.
As a result, the actual address used is an uninitialised bit pattern
from the stack.

A malicious guest might be able to find out information about the
contents of the hypervisor stack, by observing which values are
actually being used by fbld and inferring what the address must have
been.  Depending on the actual values on the stack this attack might
be very difficult to carry out.

IMPACT
======

A malicious guest might conceivably gain access to sensitive data
relating to other guests.

VULNERABLE SYSTEMS
==================

Xen 3.3.x and later are vulnerable.

Only HVM guests can take advantage of this vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.  We believe this
vulnerability would require significant research to exploit.

CREDITS
=======

Jan Beulich discovered this issue.

RESOLUTION
==========

Fixed in xen-4.2.3-2.el6

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20130930/86d2eee9/attachment.sig>