Information

Advisory XSA-108
Public release 2014-10-01 12:00
Updated 2014-10-01 12:02
Version 4
CVE(s) CVE-2014-7188
Title Improper MSR range used for x2APIC emulation

Files

advisory-108.txt (signed advisory file)
xsa108.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              Xen Security Advisory CVE-2014-7188 / XSA-108
                              version 4

              Improper MSR range used for x2APIC emulation

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

The MSR range specified for APIC use in the x2APIC access model spans
256 MSRs. Hypervisor code emulating read and write accesses to these
MSRs erroneously covered 1024 MSRs. While the write emulation path is
written such that accesses to the extra MSRs would not have any bad
effect (they end up being no-ops), the read path would (attempt to)
access memory beyond the single page set up for APIC emulation.

IMPACT
======

A buggy or malicious HVM guest can crash the host or read data
relating to other guests or the hypervisor itself.

VULNERABLE SYSTEMS
==================

Xen 4.1 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered Jan Beulich at SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa108.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa108*.patch
cf7ecf4b4680c09e8b1f03980d8350a0e1e7eb03060031788f972e0d4d47203e  xsa108.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUK+1fAAoJEIP+FMlX6CvZ6cwH+wdcnTCTdyAMc8bmQv+IxrMN
ue5rBYdX0b7CnnC2uCrwPssygna2cxTcVhJsU0eZk5OVrIU5rQ3PKtmFtxMwa3WS
my/vtyftTmoxAzftUKgpDFeicmZXlot3aowfRIiIc+GFZ59zAjDL2yQ0xMR1mJio
7SXl+dkcUPj5nXaeK1gFozJ8XNF+wArNQUPv0xUBIg4NSjQyqa7CMCZ5Q3IuJ53S
hKY37/MSoOViDORDPkeVr3BoSb7atYZSPwibqEUjeL5f+eXyVkbD0MkLQgu1ERtZ
p+dc+DTaRYm77LrDM+npZ+j1uSoVqdVzXtNYe6GZmbNRVXjbhJ+gJyJBcpy/a5Q=
=m0tK
-----END PGP SIGNATURE-----

Xenproject.org Security Team