-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2014-8595 / XSA-110
                              version 4

    Missing privilege level checks in x86 emulation of far branches

UPDATES IN VERSION 4
====================

Fix patch name.

ISSUE DESCRIPTION
=================

The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.

However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when a memory operand lives in (emulated or passed through) memory
  mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
  instruction is (in execution flow) within four instructions of one
  doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
  and the guest then (likely maliciously) alters the instruction to
  become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
  checks anyway).

IMPACT
======

Malicious HVM guest user mode code may be able to elevate its
privileges to guest supervisor mode, or to crash the guest.

VULNERABLE SYSTEMS
==================

Xen 3.2.1 and onward are vulnerable on x86 systems.

ARM systems are not vulnerable.

Only user processes in x86 HVM guests can take advantage of this
vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa110.patch                 xen-unstable, Xen 4.4.x
xsa110-4.3-and-4.2.patch     Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa110*.patch
a114ba586d18125b368112527a077abfe309826ad47aca8cc80ba4549c5f9ae2  xsa110-4.3-and-4.2.patch
eac4691848dcd093903e0a0f5fd7ab15be15d0f10b98575379911e91e5dcbd70  xsa110.patch
$
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+oMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZRv4IAK8G6TZkYY6/ORxnTusxwI7qKQBziAVxoJdQCr/m
WpG/XsBzUCBPEHt4Mgk6lJBLA22lyambNRYtpoGkfIdZ3LmuTPbkn3d6qUhLTZ8E
6pGTEUVGvnWFWVyzyIc45CLm4fnaCvYNmY1m4FjdVBBpzDryitsuZ5IoPbEB0lLS
ywYo2ueh3ZaS8BsUT2ZgSxH8hUzF8f/P56Zecn3LgmQXlKj9idP6QsFbKvSjx4jl
k3NN3d5BrsX7+J39zNAoZ4JAI1MBZ+C4BPgIi7SwZJBizKcx4axgx0X7ui1dgJx6
42E+dZuUmGKunzyFFKtw3bGuZLHE/TXRXlj7eGCquj2SFH4=
=dG+a
-----END PGP SIGNATURE-----