[prev in list] [next in list] [prev in thread] [next in thread]
List: xen-announce
Subject: [Xen-announce] Xen Security Advisory 67 (CVE-2013-4368) - Information leak through outs instruction
From: Xen.org security team <security () xen ! org>
Date: 2013-10-10 12:22:40
Message-ID: E1VUFGK-0002Xa-D5 () xenbits ! xen ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-4368 / XSA-67
version 2
Information leak through outs instruction emulation
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
The emulation of the outs instruction for 64-bit PV guests uses an
uninitialized variable as the segment base for the source data if an FS: or
GS: segment override is used, and if the segment descriptor the respective
non-null selector in the corresponding selector register points to cannot be
read by the emulation code (this is possible if the segment register was
loaded before a more recent GDT or LDT update, i.e. the segment register
contains stale data).
A malicious guest might be able to get hold of contents of the hypervisor
stack, through the fault address passed to the page fault handler if the outs
raises such a fault (which is mostly under guest control). Other methods for
indirectly deducing information also exist.
IMPACT
======
A malicious 64-bit PV guest might conceivably gain access to sensitive data
relating to other guests.
VULNERABLE SYSTEMS
==================
Xen 3.1.x and later are vulnerable.
Only 64-bit PV guests can take advantage of this vulnerability.
MITIGATION
==========
Running only HVM or 32-bit PV guests will avoid this issue.
CREDITS
=======
This issue was discovered by Coverity Scan and Matthew Daley.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa67.patch Xen 4.2.x, Xen 4.3.x, xen-unstable
$ sha256sum xsa67*.patch
7de3ac9baa6cd9fead46e68912dfa0189e900095317645d0e33d85346fc8a028 xsa67.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSVpv2AAoJEIP+FMlX6CvZBl4H/RAC7wtn0iA5AGj8197NJC0q
kZDOT0h9QAgecWtYLaZ249MIWeFRGDLjw5IQKxQG+0c/BJyTZzyvLqbfAA/rjjX2
FVSi9+6qtr23WTIgoMKDuSvO/MaC55Y2hkZ/9+j8c+jUD9OyOdbGpjYMF+n3ARB7
GYJkDomxTD/5N8D25wCciaR3fKepM4eaBayXrjIVP2S/k6aQ8QQCjSLP+ito8EG8
RD+MaRlYyBYrO3Q9hZdNju6AREKphpS0WEHqlChmql8Ij8+88ZFYXVHHmhw70G6D
1d6OSm1kFikmroWby9AD97qDwX+estTA4kwKnXYxmcrgyWvkE7O9/uVQJbGGNwg=
=thOF
-----END PGP SIGNATURE-----
["xsa67.patch" (application/octet-stream)]
x86: check segment descriptor read result in 64-bit OUTS emulation
When emulating such an operation from a 64-bit context (CS has long
mode set), and the data segment is overridden to FS/GS, the result of
reading the overridden segment's descriptor (read_descriptor) is not
checked. If it fails, data_base is left uninitialized.
This can lead to 8 bytes of Xen's stack being leaked to the guest
(implicitly, i.e. via the address given in a #PF).
Coverity-ID: 1055116
This is CVE-2013-4368 / XSA-67.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Fix formatting.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -1993,10 +1993,10 @@ static int emulate_privileged_op(struct
break;
}
}
- else
- read_descriptor(data_sel, v, regs,
- &data_base, &data_limit, &ar,
- 0);
+ else if ( !read_descriptor(data_sel, v, regs,
+ &data_base, &data_limit, &ar, 0) ||
+ !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) )
+ goto fail;
data_limit = ~0UL;
ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P;
}
_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic