Xen.org security team
2013-Feb-13 16:50 UTC
Xen Security Advisory 42 (CVE-2013-0228) - Linux kernel hits general protection if %ds is corrupt for 32-bit PVOPS.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-0228 / XSA-42
version 2
Linux kernel hits general protection if %ds is corrupt for 32-bit PVOPS.
UPDATES IN VERSION 2
===================
Public release.
ISSUE DESCRIPTION
================
Linux kernel when returning from an iret assumes that %ds segment is safe
and uses it to reference various per-cpu related fields. Unfortunately
the user can modify the LDT and provide a NULL one. Whenever an iret is called
we end up in xen_iret and try to use the %ds segment and cause an
general protection fault.
IMPACT
=====
Malicious or buggy unprivileged user space can cause the guest kernel to
crash, or permit a privilege escalation within the guest, or operate
erroneously.
VULNERABLE SYSTEMS
=================
All 32bit PVOPS versions of Linux are affected, since the introduction
of Xen PVOPS support in 2.6.23. Classic-Xen kernels are not vulnerable.
MITIGATION
=========
This can be mitigated by not running 32bit PVOPS Linux guests.
32bit classic-Xen guests, all 64bit PV guests and all HVM guests are
unaffected.
RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.
$ sha256sum xsa42*.patch
a931fdc161653fb1a3a6d8c1cf6d2c9954c5aec134b610be6e9699552a659eb8
xsa42-pvops-0001-x86-xen-don-t-assume-ds-is-usable-in-xen_iret-for-32.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRG8PxAAoJEIP+FMlX6CvZC3gH/0v/9nr3jXbsMHZlkBRtCx9n
np1ed8btQGpmmk/WqbyLj/KcTNlXLIa1zwhTSPUgXlVIoDPuzstfGXm96gBNfYhS
hl56QYTruhHPAvvrAwE8SNIlMUH+n7Wq1BThkXFU1yBnjXxzTi4SdmUwy4gAA/SE
Xp35RAcIV6IwLRMMY12aat7XKnVx4S5n+gCC5eu0WZ+n73Ecrlqmsq+2X2ZHo3wP
nu9UN+PChmBJHfcA8OhelY/X4X4DV1HNPuFkj9ypyPrvXIrl6M0D5TfGoyRNXMHq
izAn51ro8gTGND6xY+s3auelquKiJkyl/5AXnfd0y9bSewGJS6oxoRzFdctJqxM=mgHb
-----END PGP SIGNATURE-----
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel