Information

AdvisoryXSA-274
Public release 2018-07-25 16:39
Updated 2018-08-15 16:09
Version 3
CVE(s) CVE-2018-14678
Title Linux: Uninitialized state in x86 PV failsafe callback path

Files

advisory-274.txt (signed advisory file)
xsa274-linux-4.17.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2018-14678 / XSA-274
                               version 3

      Linux: Uninitialized state in x86 PV failsafe callback path

UPDATES IN VERSION 3
====================

Fix spelling in CREDITS.

ISSUE DESCRIPTION
=================

Linux has a `failsafe` callback, invoked by Xen under certain
conditions.  Normally in this failsafe callback, error_entry is paired
with error_exit; and error_entry uses %ebx to communicate to
error_exit whether to use the user or kernel return path.

Unfortunately, on 64-bit PV Xen on x86, error_exit is called without
error_entry being called first, leaving %ebx with an invalid value.

IMPACT
======

A rogue user-space program could crash a guest kernel.  Privilege
escalation cannot be ruled out.

VULNERABLE SYSTEMS
==================

Only 64-bit x86 PV Linux systems are vulnerable.

All versions of Linux are vulnerable.

MITIGATION
==========

Switching to HVM or PVH guests will mitigate this issue.

CREDITS
=======

This issue was discovered by M. Vefa Bicakci, and recognized as a
security issue by Andy Lutomirski.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

NB this patch has not been accepted into Linux upstream yet.  An
updated advisory will be sent if the fix upstreamed looks
significantly different.

xsa274-linux-4.17.patch           Linux 4.17

$ sha256sum xsa274*
0c30cb13d1d573f446c8cb8d4824ffad8ef9149a7589a19ef9bcc83c07bddcf5  xsa274-linux-4.17.patch
$

NOTE ON THE LACK OF EMBARGO
===========================

The patch for this issue was published on linux-kernel without being
first reported to the XenProject Security Team.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJbdFA5AAoJEIP+FMlX6CvZWQQIAIxMK2w6CsH2aNQRDiDrgcBc
2FkBbroS5I1XHEhWVyO19aPhp1R3mYNU+pTUUFOevQuKvTP0nuZ0csgk5LUj9UP7
EE/3vM3jkAfmIIuXCAegOcznnEl6Wi9aMKGVXcxMkRu9qjKStGr4We5qvmdPncUj
DkTdD6VbmM/Q665b0jU4j2aZPDMsH63qrsbz1rsnPAlYUi1R+yKw56Q5UdRJK17j
Jc74v+elyqOkFq7QwH1usfnko+DQziLyLqEBQOztTSps2qYM+VwHLAZkhxNyuLsu
2x9/1D8XoZ+BHvVsVe50QmoNcJViMMunnHNhWYHmtXLYFErwUOt48N1vl+3xFpo=
=k4Ak
-----END PGP SIGNATURE-----


Xenproject.org Security Team