|Public release ||2013-10-10 12:00|
|Updated ||2013-10-10 12:22|
|Title ||Information leak through outs instruction emulation|
Filesadvisory-67.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2013-4368 / XSA-67
Information leak through outs instruction emulation
UPDATES IN VERSION 2
The emulation of the outs instruction for 64-bit PV guests uses an
uninitialized variable as the segment base for the source data if an FS: or
GS: segment override is used, and if the segment descriptor the respective
non-null selector in the corresponding selector register points to cannot be
read by the emulation code (this is possible if the segment register was
loaded before a more recent GDT or LDT update, i.e. the segment register
contains stale data).
A malicious guest might be able to get hold of contents of the hypervisor
stack, through the fault address passed to the page fault handler if the outs
raises such a fault (which is mostly under guest control). Other methods for
indirectly deducing information also exist.
A malicious 64-bit PV guest might conceivably gain access to sensitive data
relating to other guests.
Xen 3.1.x and later are vulnerable.
Only 64-bit PV guests can take advantage of this vulnerability.
Running only HVM or 32-bit PV guests will avoid this issue.
This issue was discovered by Coverity Scan and Matthew Daley.
Applying the attached patch resolves this issue.
xsa67.patch Xen 4.2.x, Xen 4.3.x, xen-unstable
$ sha256sum xsa67*.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team