[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Xen Security Advisory 76 (CVE-2013-4554) - Hypercalls exposed to privilege rings 1 an
From: Xen.org security team <security () xen ! org>
Date: 2013-11-26 17:03:26
Message-ID: E1VlM2o-0002ZM-PL () xenbits ! xen ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-4554 / XSA-76
version 3
Hypercalls exposed to privilege rings 1 and 2 of HVM guests
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
The privilege check applied to hypercall attempts by a HVM guest only refused
access from ring 3; rings 1 and 2 were allowed through.
IMPACT
======
Code running in the intermediate privilege rings of HVM guest OSes may be able
to elevate its privileges inside the guest by careful hypercall use.
VULNERABLE SYSTEMS
==================
Xen 3.0.3 and later are vulnerable.
Xen 3.0.2 and earlier are not vulnerable.
MITIGATION
==========
Running only PV guests, or running HVM guests known to not make use of
protection rings 1 and 2 will avoid this issue. As far as we are aware no
mainstream OS (Linux, Windows, BSD) make use of these rings.
CREDITS
=======
This issue was discovered by Jan Beulich.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa76.patch xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x
$ sha256sum xsa76*.patch
8c4d460c71e8e8dffa32ce24f57ce872ccd8623ab72fd38be432f0a2b097e7c1 xsa76.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSlNMiAAoJEIP+FMlX6CvZn4kH/38vSCRckKM2JuQJfIJb8WtT
hz7XFDLhDBgeei7J3G3HiZIdaVGVYvThKDl6Dk0Kfc7V7vqIOEYN6OGAOqsJY5GL
Yqqxqol4ncyM0okLn3mvgeX1FlpLi1rlkwWkR7on7KMahxITjeGpWs00z9o9fpxy
21hIEw3vtXxg+C22QK2GS2fHKrkU23Fi7OPC09aU179nWjQWom+7qNsRvJlw+dRq
NZs5EvvGofqXN7KaLAirJkNUmxDOS0+XxNcF/1zLpXa/bIXjKCju6LoLb86UZOsM
JkSSfFYiz3UxAqjZtr4x4cbUl/0LeGUETVygIOOtx/56TKMxzgbaXHDevCiu3bw=
=oChf
-----END PGP SIGNATURE-----
["xsa76.patch" (application/octet-stream)]
x86/HVM: only allow ring 0 guest code to make hypercalls
Anything else would allow for privilege escalation.
This is CVE-2013-4554 / XSA-76.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3359,7 +3359,7 @@ int hvm_do_hypercall(struct cpu_user_reg
case 4:
case 2:
hvm_get_segment_register(curr, x86_seg_ss, &sreg);
- if ( unlikely(sreg.attr.fields.dpl == 3) )
+ if ( unlikely(sreg.attr.fields.dpl) )
{
default:
regs->eax = -EPERM;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic