[kernel-xen] Xen Security Advisory 111 (CVE-2014-8866) - Excessive checking in compatibility mode hypercall argument translation

Steven Haigh netwiz at crc.id.au
Fri Nov 28 16:04:50 AEDT 2014 

            Xen Security Advisory CVE-2014-8866 / XSA-111
                              version 3

   Excessive checking in compatibility mode hypercall argument translation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The hypercall argument translation needed for 32-bit guests running on
64-bit hypervisors performs checks on the final register state.  These
checks cover all registers potentially holding hypercall arguments,
not just the ones actually doing so for the hypercall being processed,
since the code was originally intended for use only by PV guests.

While this is not a problem for PV guests (as they can't enter 64-bit
mode and hence can't alter the high halves of any of the registers),
the subsequent reuse of the same functionality for HVM guests exposed
those checks to values (specifically, unexpected values for the high
halves of registers not holding hypercall arguments) controlled by
guest software.

IMPACT
======

A buggy or malicious HVM guest can crash the host.

VULNERABLE SYSTEMS
==================

Xen 3.3 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests on any version of Xen
so far released by xenproject.org.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

  xen-4.2: Thu Nov 27 2014 Steven Haigh <netwiz at crc.id.au> - 4.2.5-7
- XSA-111 (CVE-2014-8866) Excessive checking in compatibility mode
hypercall argument translation
- XSA-112 (CVE-2014-8867) Insufficient bounding of "REP MOVS" to MMIO
emulated inside the hypervisor


  xen44-4.4: Thu Nov 27 2014 Steven Haigh <netwiz at crc.id.au> - 4.4.1-7
- XSA-111 (CVE-2014-8866) Excessive checking in compatibility mode
hypercall argument translation
- XSA-112 (CVE-2014-8867) Insufficient bounding of "REP MOVS" to MMIO
emulated inside the hypervisor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20141128/5e49a647/attachment.sig>

More information about the kernel-xen mailing list