Xen.org security team
2014-Sep-24 10:30 UTC
Xen Security Advisory 106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation of software interrupts
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-7156 / XSA-106 version 3 Missing privilege level checks in x86 emulation of software interrupts UPDATES IN VERSION 3 =================== This issue has been assigned CVE-2014-7156. ISSUE DESCRIPTION ================ The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when a memory operand (implicit for the affected instructions) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones, - - when the guest is in real mode (in which case there are no privilege checks anyway). IMPACT ===== Malicious HVM guest user mode code may be able to crash the guest. VULNERABLE SYSTEMS ================= Xen versions from 3.3 onwards are vulnerable. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========= Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ====== This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========= Applying the attached patch resolves this issue. xsa106.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa106*.patch 301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270 xsa106.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIpznAAoJEIP+FMlX6CvZNzsH/2EiupxpKxmHXoWxZAqlDz5E +cdmv5axHGO74bU8xGe/WFcfOCjx8LaPifWd/g6AMlSa7BHe1i1sPmOifr6jhRlz xfJonBcXl6/Z7LpfaYdu2M+6mDXoO2Ov5yKEYDNPyzwfmRH+bLBBGrGTzJvyaEj2 PS2JgtIzIVRFHdmYh7zJeS9isKt9+/lKplAIluKUUUhnX1pMUaTV9Ax67MUs7BdJ SHh37YoMIZAxAkRl80nT7gBdohLUmQJZm3CVFFjk71hSFlvdRJNZuVJnxMyXXBA3 awQlxUAhUQmP8ls1JTK0EMVe9EAPvyqgPlk/2Ch8UBtpg0MeGzBs9UJwjYeP47Y=c9bK -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users