[kernel-xen] Xen Security Advisory 106 - Missing privilege level checks in x86 emulation of software interrupts

Steven Haigh netwiz at crc.id.au
Wed Sep 24 05:10:12 EST 2014


                    Xen Security Advisory XSA-106
                              version 2

    Missing privilege level checks in x86 emulation of software interrupts

UPDATES IN VERSION 2
====================

Public Release.

ISSUE DESCRIPTION
=================

The emulation of instructions which generate software interrupts fails
to perform supervisor mode permission checks.

However these instructions are not usually handled by the emulator.
Exceptions to this are
- when a memory operand (implicit for the affected instructions) lives
  in (emulated or passed through) memory mapped IO space,
- in the case of guests running in 32-bit PAE mode, when such an
  instruction is (in execution flow) within four instructions of one
  doing a page table update,
- when an Invalid Opcode exception gets raised by a guest instruction,
  and the guest then (likely maliciously) alters the instruction to
  become one of the affected ones,
- when the guest is in real mode (in which case there are no privilege
  checks anyway).

IMPACT
======

Malicious HVM guest user mode code may be able to crash the guest.

VULNERABLE SYSTEMS
==================

Xen versions from 3.3 onwards are vulnerable.

Only user processes in HVM guests can take advantage of this
vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

CREDITS
=======

This issue was discovered Andrei Lutas at BitDefender and analyzed by
Andrew Cooper at Citrix.

RESOLUTION
==========

Fixed in xen-4.2.5-2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20140924/8ffd9485/attachment.sig>


More information about the kernel-xen mailing list