|Public release ||2013-09-30 10:04|
|Updated ||2013-09-30 10:04|
|Title ||Information leak through fbld instruction emulation|
Filesadvisory-66.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2013-4361 / XSA-66
Information leak through fbld instruction emulation
UPDATES IN VERSION 3
The emulation of the fbld instruction (which is used during I/O
emulation) uses the wrong variable for the source effective address.
As a result, the actual address used is an uninitialised bit pattern
from the stack.
A malicious guest might be able to find out information about the
contents of the hypervisor stack, by observing which values are
actually being used by fbld and inferring what the address must have
been. Depending on the actual values on the stack this attack might
be very difficult to carry out.
A malicious guest might conceivably gain access to sensitive data
relating to other guests.
Xen 3.3.x and later are vulnerable.
Only HVM guests can take advantage of this vulnerability.
Running only PV guests will avoid this issue.
There is no mitigation available for HVM guests. We believe this
vulnerability would require significant research to exploit.
Jan Beulich discovered this issue.
Applying the attached patch resolves this issue.
xsa66.patch Xen 4.2.x, Xen 4.3.x, xen-unstable
$ sha256sum xsa66.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team