Xen.org security team
2014-Oct-01 12:02 UTC
Xen Security Advisory 108 (CVE-2014-7188) - Improper MSR range used for x2APIC emulation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2014-7188 / XSA-108
version 4
Improper MSR range used for x2APIC emulation
UPDATES IN VERSION 4
===================
Public release.
ISSUE DESCRIPTION
================
The MSR range specified for APIC use in the x2APIC access model spans
256 MSRs. Hypervisor code emulating read and write accesses to these
MSRs erroneously covered 1024 MSRs. While the write emulation path is
written such that accesses to the extra MSRs would not have any bad
effect (they end up being no-ops), the read path would (attempt to)
access memory beyond the single page set up for APIC emulation.
IMPACT
=====
A buggy or malicious HVM guest can crash the host or read data
relating to other guests or the hypervisor itself.
VULNERABLE SYSTEMS
=================
Xen 4.1 and onward are vulnerable.
Only x86 systems are vulnerable. ARM systems are not vulnerable.
MITIGATION
=========
Running only PV guests will avoid this vulnerability.
CREDITS
======
This issue was discovered Jan Beulich at SUSE.
RESOLUTION
=========
Applying the attached patch resolves this issue.
xsa108.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa108*.patch
cf7ecf4b4680c09e8b1f03980d8350a0e1e7eb03060031788f972e0d4d47203e xsa108.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJUK+1fAAoJEIP+FMlX6CvZ6cwH+wdcnTCTdyAMc8bmQv+IxrMN
ue5rBYdX0b7CnnC2uCrwPssygna2cxTcVhJsU0eZk5OVrIU5rQ3PKtmFtxMwa3WS
my/vtyftTmoxAzftUKgpDFeicmZXlot3aowfRIiIc+GFZ59zAjDL2yQ0xMR1mJio
7SXl+dkcUPj5nXaeK1gFozJ8XNF+wArNQUPv0xUBIg4NSjQyqa7CMCZ5Q3IuJ53S
hKY37/MSoOViDORDPkeVr3BoSb7atYZSPwibqEUjeL5f+eXyVkbD0MkLQgu1ERtZ
p+dc+DTaRYm77LrDM+npZ+j1uSoVqdVzXtNYe6GZmbNRVXjbhJ+gJyJBcpy/a5Q=m0tK
-----END PGP SIGNATURE-----
_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users