-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4368 / XSA-67 version 2 Information leak through outs instruction emulation UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The emulation of the outs instruction for 64-bit PV guests uses an uninitialized variable as the segment base for the source data if an FS: or GS: segment override is used, and if the segment descriptor the respective non-null selector in the corresponding selector register points to cannot be read by the emulation code (this is possible if the segment register was loaded before a more recent GDT or LDT update, i.e. the segment register contains stale data). A malicious guest might be able to get hold of contents of the hypervisor stack, through the fault address passed to the page fault handler if the outs raises such a fault (which is mostly under guest control). Other methods for indirectly deducing information also exist. IMPACT ====== A malicious 64-bit PV guest might conceivably gain access to sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.1.x and later are vulnerable. Only 64-bit PV guests can take advantage of this vulnerability. MITIGATION ========== Running only HVM or 32-bit PV guests will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa67.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa67*.patch 7de3ac9baa6cd9fead46e68912dfa0189e900095317645d0e33d85346fc8a028 xsa67.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpv2AAoJEIP+FMlX6CvZBl4H/RAC7wtn0iA5AGj8197NJC0q kZDOT0h9QAgecWtYLaZ249MIWeFRGDLjw5IQKxQG+0c/BJyTZzyvLqbfAA/rjjX2 FVSi9+6qtr23WTIgoMKDuSvO/MaC55Y2hkZ/9+j8c+jUD9OyOdbGpjYMF+n3ARB7 GYJkDomxTD/5N8D25wCciaR3fKepM4eaBayXrjIVP2S/k6aQ8QQCjSLP+ito8EG8 RD+MaRlYyBYrO3Q9hZdNju6AREKphpS0WEHqlChmql8Ij8+88ZFYXVHHmhw70G6D 1d6OSm1kFikmroWby9AD97qDwX+estTA4kwKnXYxmcrgyWvkE7O9/uVQJbGGNwg= =thOF -----END PGP SIGNATURE-----