[v3.1] xen: Missing privilege level checks in x86 emulation of far branches (CVE-2014-8595)
The emulation of far branch instructions (CALL, JMP, and RETF in Intel assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax) incompletely performs privilege checks.
However these instructions are not usually handled by the emulator. Exceptions to this are
- - when a memory operand lives in (emulated or passed through) memory mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones,
-
- when the guest is in real mode (in which case there are no privilege checks anyway).
IMPACT ==
Malicious HVM guest user mode code may be able to elevate its privileges to guest supervisor mode, or to crash the guest.
VULNERABLE SYSTEMS ==
Xen 3.2.1 and onward are vulnerable on x86 systems. ARM systems are not
vulnerable.
Only user processes in x86 HVM guests can take advantage of this
vulnerability.
MITIGATION ==
Running only PV guests will avoid this issue. There is no mitigation available for HVM guests.
RESOLUTION ==
Applying the appropriate attached patch resolves this issue.
http://seclists.org/oss-sec/2014/q4/att-665/xsa110.patch
xen-unstable, Xen 4.4.x
http://seclists.org/oss-sec/2014/q4/att-665/xsa110-4_3-and-4_2.patch
Xen 4.3.x, Xen 4.2.x
(from redmine: issue id 3718, created on 2015-01-23, closed on 2017-05-17)
- Relations:
- parent #3714