[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 105 - Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-105
                              version 2

    Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation

UPDATES IN VERSION 2
====================

Public Release.

Convert patch line endings from DOS to Unix style.

ISSUE DESCRIPTION
=================

The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to
perform supervisor mode permission checks.

However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when the instruction's memory operand (if any) lives in (emulated or
  passed through) memory mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
  instruction is (in execution flow) within four instructions of one
  doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
  and the guest then (likely maliciously) alters the instruction to
  become one of the affected ones.

Malicious guest user mode code may be able to leverage this to install
e.g. its own Interrupt Descriptor Table (IDT).

IMPACT
======

Malicious HVM guest user mode code may be able to crash the guest or
escalate its own privilege to guest kernel mode.

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2.x onwards are vulnerable.  Older
versions have not been inspected.

Only user processes in HVM guests can take advantage of this
vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

CREDITS
=======

This issue was discovered Andrei Lutas at BitDefender and analyzed by
Andrew Cooper at Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa105.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa105*.patch
dfb5ede7cc5609a812a7b1239479cefd387f9f9c8c25e11e64199bc592ad7e39  xsa105.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUIWPjAAoJEIP+FMlX6CvZu8UIAIQ9G7ms9bLRy75r3tYBTaW4
/Gwc3jYWy5rBsDF8gwtbMfVCVFqLXJbzb3RzTuQqCI/3D3F5s1VgMEm9rrG6DK+R
e+czy4ceT1jTbWvSO1xGOY/eRHCY88PQ0BAQqBCMjurLXc25oUFiP0WogOX5Kwpu
1ASU6nQjZYjHruohHzgY0L6GJL27Ik1/4jNG/Min52dMxzp92Kn9rRtYR2kjwNin
20mftHsuzD3YpNIoAdcgBLx8A611ISkvia2uFXZyJEDLsDVqhdNUSGH3Qo0d1ISO
eFVL3X6WDYPZuJhNPbPfT93GeMI73b+ryFovYggPEZ/to9D0hrf4KaQmnbbqch8=
=OoOJ
-----END PGP SIGNATURE-----

Attachment: xsa105.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.