Information

Advisory XSA-42
Public release 2013-02-12 12:00
Updated 2013-02-13 16:49
Version 2
CVE(s) CVE-2013-0228
Title Linux kernel hits general protection if %ds is corrupt for 32-bit PVOPS.

Files

advisory-42.txt (signed advisory file)
xsa42-pvops-0001-x86-xen-don-t-assume-ds-is-usable-in-xen_iret-for-32.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2013-0228 / XSA-42
                            version 2

 Linux kernel hits general protection if %ds is corrupt for 32-bit PVOPS.


UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Linux kernel when returning from an iret assumes that %ds segment is safe
and uses it to reference various per-cpu related fields. Unfortunately
the user can modify the LDT and provide a NULL one. Whenever an iret is called
we end up in xen_iret and try to use the %ds segment and cause an
general protection fault.

IMPACT
======

Malicious or buggy unprivileged user space can cause the guest kernel to
crash, or permit a privilege escalation within the guest, or operate
erroneously.

VULNERABLE SYSTEMS
==================

All 32bit PVOPS versions of Linux are affected, since the introduction
of Xen PVOPS support in 2.6.23.  Classic-Xen kernels are not vulnerable.

MITIGATION
==========

This can be mitigated by not running 32bit PVOPS Linux guests.

32bit classic-Xen guests, all 64bit PV guests and all HVM guests are
unaffected.


RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.


$ sha256sum xsa42*.patch
a931fdc161653fb1a3a6d8c1cf6d2c9954c5aec134b610be6e9699552a659eb8  xsa42-pvops-0001-x86-xen-don-t-assume-ds-is-usable-in-xen_iret-for-32.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRG8PxAAoJEIP+FMlX6CvZC3gH/0v/9nr3jXbsMHZlkBRtCx9n
np1ed8btQGpmmk/WqbyLj/KcTNlXLIa1zwhTSPUgXlVIoDPuzstfGXm96gBNfYhS
hl56QYTruhHPAvvrAwE8SNIlMUH+n7Wq1BThkXFU1yBnjXxzTi4SdmUwy4gAA/SE
Xp35RAcIV6IwLRMMY12aat7XKnVx4S5n+gCC5eu0WZ+n73Ecrlqmsq+2X2ZHo3wP
nu9UN+PChmBJHfcA8OhelY/X4X4DV1HNPuFkj9ypyPrvXIrl6M0D5TfGoyRNXMHq
izAn51ro8gTGND6xY+s3auelquKiJkyl/5AXnfd0y9bSewGJS6oxoRzFdctJqxM=
=mgHb
-----END PGP SIGNATURE-----

Xenproject.org Security Team