[kernel-xen] Xen Security Advisory 110 (CVE-2014-8595) - Missing privilege level checks in x86 emulation of far branches

Steven Haigh netwiz at crc.id.au
Wed Nov 19 07:38:03 AEDT 2014 

            Xen Security Advisory CVE-2014-8595 / XSA-110
                              version 3

    Missing privilege level checks in x86 emulation of far branches

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.

However these instructions are not usually handled by the emulator.
Exceptions to this are
- when a memory operand lives in (emulated or passed through) memory
  mapped IO space,
- in the case of guests running in 32-bit PAE mode, when such an
  instruction is (in execution flow) within four instructions of one
  doing a page table update,
- when an Invalid Opcode exception gets raised by a guest instruction,
  and the guest then (likely maliciously) alters the instruction to
  become one of the affected ones,
- when the guest is in real mode (in which case there are no privilege
  checks anyway).

IMPACT
======

Malicious HVM guest user mode code may be able to elevate its
privileges to guest supervisor mode, or to crash the guest.

VULNERABLE SYSTEMS
==================

Xen 3.2.1 and onward are vulnerable on x86 systems.

ARM systems are not vulnerable.

Only user processes in x86 HVM guests can take advantage of this
vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

xen-4.2: Tue Nov 18 2014 Steven Haigh <netwiz at crc.id.au> - 4.2.5-5
- XSA-109 (CVE-2014-8594) Insufficient restrictions on certain MMU
update hypercalls
- XSA-110 (CVE-2014-8595) Missing privilege level checks in x86
emulation of far branches

xen44-4.4: Tue Nov 18 2014 Steven Haigh <netwiz at crc.id.au> - 4.4.1-5
- XSA-109 (CVE-2014-8594) Insufficient restrictions on certain MMU
update hypercalls
- XSA-110 (CVE-2014-8595) Missing privilege level checks in x86
emulation of far branches

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20141119/add4262f/attachment.sig>

More information about the kernel-xen mailing list