[v3.1] xen: Insufficient restrictions on certain MMU update hypercalls (CVE-2014-8594)
MMU update operations targeting page tables are intended to be used on PV guests only. The lack of a respective check made it possible for such operations to access certain function pointers which remain NULL when the target guest is using Hardware Assisted Paging (HAP).
RESOLUTION ==
Applying the appropriate attached patch resolves this issue.
http://seclists.org/oss-sec/2014/q4/att-666/xsa109.patch
xen-unstable, Xen 4.4.x, Xen 4.3.x
http://seclists.org/oss-sec/2014/q4/att-666/xsa109-4_2.patch
Xen 4.2.x
References: ===
http://seclists.org/oss-sec/2014/q4/666
(from redmine: issue id 3708, created on 2015-01-22, closed on 2017-05-17)
- Relations:
- parent #3704
- Changesets:
- Revision 6bd9fb3a by Natanael Copa on 2015-01-23T10:59:45Z:
main/xen: various sec fixes (xsa109 - xsa116)
ref #3704
fixes #3708
XSA-116 CVE-2015-0361 xen crash due to use after free on hvm guest
teardown
XSA-114 CVE-2014-9065 CVE-2014-9066
p2m lock starvation
XSA-113 CVE-2014-9030 Guest effectable page reference leak in
MMU_MACHPHYS_UPDATE handling
XSA-112 CVE-2014-8867 Insufficient bounding of "REP MOVS" to MMIO
emulated inside the hypervisor
XSA-111 CVE-2014-8866 Excessive checking in compatibility mode
hypercall argument translation
XSA-110 CVE-2014-8595 Missing privilege level checks in x86 emulation
of far branches
XSA-109 CVE-2014-8594 Insufficient restrictions on certain MMU
update hypercalls
(cherry picked from commit 621b3e6ae3cef5a89353cb0868372c2b94ffa454)