Xen project Mailing List

Re: [Xen-users] PV privilege escalation - advisory

To: Florian Heigl <florian.heigl@xxxxxxxxx>

From: Ian Campbell <Ian.Campbell@xxxxxxxxxx>

Date: Tue, 19 Jun 2012 11:16:33 +0100

Cc: "xen-users@xxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxx>, John Creol <iamcreo@xxxxxxxxx>, Jonathan Tripathy <jonnyt@xxxxxxxxxxx>, "Fajar A. Nugraha" <list@xxxxxxxxx>

Delivery-date: Tue, 19 Jun 2012 10:18:07 +0000

List-id: Xen user discussion <xen-users.lists.xen.org>

On Thu, 2012-06-14 at 23:40 +0100, Florian Heigl wrote: > I'd also love to know if this instruction is available if VT is disabled. The sysret instruction is nothing to do with HVM/VT etc (and predates it) and cannot (AFAIK) be disabled and certainly not by turning off VT. However the hypervisor won't use the sysret instruction to return to the guest so there is no way for an HVM guest to exploit this particular issue. > Basically, I run ~25 PV Linux domUs none of which has an old kernel and 1 HVM. > (A FreeBSD box, with a user that I do not have to worry about) > > A malicious user could probably remove the bugfix from his linux > kernel version and have a happy ride again, so this, well, sucks. > > Flipping something in BIOS would make me a lot happier. > > > 2012/6/14 Jonathan Tripathy <jonnyt@xxxxxxxxxxx>: > > > >>> From a brief look this vulnerability does not impact the hypervisor.. > >>> right ? > >> > >> The bug is on the hypervisor as well: > >> https://bugzilla.redhat.com/show_bug.cgi?id=813428 > >> > >> > > My understanding is that this is *only* a hypervisor issue, *not* a kernel > > issue. The only reason why an updated RHEL kernel-xen package fixes this, is > > because the kernel-xen package includes the Xen hypervisor. I've always > > thought the RHEL package name "kernel-xen" was misleading. They should have > > called it something like "xen-server" or something. > > > > Please someone correct me if I'm wrong > > Don't know :> The RH kernel-xen package contains both the kernel and the hypervisor in a single package (presumably in some way matched for supportability purposes). This issue is only a hypervisor issue, fixing the hypervisor means you don't need to worry/care about guest kernels etc. There is some confusion around this because the same issue also effects some baremetal operating systems. Baremetal Linux was fixed in 2005, which helps add a (small) hurdle to guest users exploiting the issue. You need to trust your guest kernels because a malicious guest admin could unpatch their kernel in order to exploit this on a system running a vulnerable hypevisor. I hope that's made things clearer rather than more confusing... Ian. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.