|Public release ||2014-11-18 12:00|
|Updated ||2014-11-18 12:23|
|Title ||Missing privilege level checks in x86 emulation of far branches|
Filesadvisory-110.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2014-8595 / XSA-110
Missing privilege level checks in x86 emulation of far branches
UPDATES IN VERSION 3
The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.
However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when a memory operand lives in (emulated or passed through) memory
mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
instruction is (in execution flow) within four instructions of one
doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
and the guest then (likely maliciously) alters the instruction to
become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
Malicious HVM guest user mode code may be able to elevate its
privileges to guest supervisor mode, or to crash the guest.
Xen 3.2.1 and onward are vulnerable on x86 systems.
ARM systems are not vulnerable.
Only user processes in x86 HVM guests can take advantage of this
Running only PV guests will avoid this issue.
There is no mitigation available for HVM guests.
This issue was discovered by Jan Beulich of SUSE.
Applying the appropriate attached patch resolves this issue.
xsa110-unstable.patch xen-unstable, Xen 4.4.x
xsa110-4.3-and-4.2.patch Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa110*.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team