|Public release ||2014-08-12 12:00|
|Updated ||2014-08-12 13:02|
|Title ||Flaw in handling unknown system register access from 64-bit userspace on ARM|
Filesadvisory-103.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2014-5148 / XSA-103
Flaw in handling unknown system register access from 64-bit userspace on ARM
UPDATES IN VERSION 3
When handling an unknown system register access from 64-bit userspace
Xen would incorrectly return to the second instruction of the trap
handler for faults in kernel space rather than the first instruction
of the trap handler for faults in 64-bit userspace.
Any user in a guest which is running a 64-bit kernel who is able to
spawn a 64-bit process can cause a trap to the kernel to be taken at
an unexpected (but not user controlled) exception address.
Known versions of Linux in the default configuration will Oops and kill the
offending process, and therefore avoid this vulnerability. However local
configuration may turn such an Oops into a kernel panic, and therefore a
guest denial of service.
Depending on the guest kernel implementation, kernel crash (guest DoS)
or privilege elevation to that of the guest kernel cannot be ruled
This issue does not enable an attack on the host.
64-bit ARM systems may be vulnerable, depending on the guest kernel.
All versions of Linux released by Linux upstream to date avoid this
vulnerability. Systems based on modified versions of Linux may be
32-bit ARM systems, and X86 systems, are not vulnerable.
There is no known mitigation for this issue.
This issue was reported as a bug by Riku Voipio, discovered via
Linaro's LAVA testing and was diagnosed as a security issue by Ian
Applying the appropriate attached patch resolves this issue.
The patch for XSA-103 (specifically, xsa102-*-02.patch) must be
xsa103-4.4.patch Xen 4.4.x
$ sha256sum xsa103*.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team