|
Message-Id: <E1fG5yJ-0000ao-2G@xenbits.xenproject.org> Date: Tue, 08 May 2018 17:00:15 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 260 (CVE-2018-8897) - x86: mishandling of debug exceptions -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2018-8897 / XSA-260 version 2 x86: mishandling of debug exceptions UPDATES IN VERSION 2 ==================== Public release. Updated .meta file ISSUE DESCRIPTION ================= When switching stacks, it is critical to have a matching stack segment and stack pointer. To allow an atomic update from what would otherwise be two adjacent instructions, an update which changes the stack segment (either a mov or pop instruction with %ss encoded as the destination register) sets the movss shadow for one instruction. The exact behaviour of the movss shadow is poorly understood. In practice, a movss shadow delays some debug exceptions (e.g. from a hardware breakpoint) until the subsequent instruction has completed. If the subsequent instruction normally transitions to supervisor mode (e.g. a system call), then the debug exception will be taken after the transition to ring0 is completed. For most transitions to supervisor mode, this only confuses Xen into printing a lot of debugging information. For the syscall instruction however, the exception gets taken before the syscall handler can move off the guest stack. IMPACT ====== A malicious PV guest can escalate their privilege to that of the hypervisor. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users. MITIGATION ========== Running only HVM or PVH guests avoids the vulnerability. Note however that a compromised device model (running in dom0 or a stub domain) can carry out this attack, so users with HVM domains are also advised to patch their systems. CREDITS ======= This issue was discovered by Andy Lutomirski, and Nick Peterson of Everdox Tech LLC. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa260-unstable/*.patch xen-unstable xsa260-4.10/*.patch Xen 4.10.x xsa260-4.9/*.patch Xen 4.9.x xsa260-4.8/*.patch Xen 4.8.x xsa260-4.7/*.patch Xen 4.7.x xsa260-4.6/*.patch Xen 4.6.x $ sha256sum xsa260* xsa260*/* f436009ea6d6a30cf9c316e909dcd260c223264884d2e4fc5b74bdaf2e515815 xsa260.meta 0f7e3cfecc59986fc950694bba7bb31ee9680b2390920335d6853fdf83ded9ef xsa260-unstable/xsa260-1.patch 4df5b9d05a8f02754b1e819b8cad35b3da9ba7fcdaee0fc762d572481ef69f93 xsa260-unstable/xsa260-2.patch 5c3f9cbc777ed7a93a97a4665e0188e1b1a05dd057da830203e018c73e9e5ce7 xsa260-unstable/xsa260-3.patch 4b280ec02418f30f0576e84f23ae565acee4fcc2d398b3828c1e12d9346583af xsa260-unstable/xsa260-4.patch 2c5ce2851351a40df9ed17fae3c6f7505dcda60209945321b545b6b6e4f065cb xsa260-4.6/xsa260-1.patch bfa2eb161f570b0295464ef41fc5add52e10853a1ec81de107f1a9deb945982f xsa260-4.6/xsa260-2.patch 2f30c4fbebeb77da50caff62a0f28d3afe8993bee19233543170f1955cebdcbc xsa260-4.6/xsa260-3.patch 363af89377d5819ad1450c8806824707d3e15700c179129aed62128e62ab1a0e xsa260-4.6/xsa260-4.patch 0c2552a36737975f4f46d7054b49fd018b68c302cef3b39b27c2f17cc60eb531 xsa260-4.7/xsa260-1.patch a92ef233a83923d6a18d51528ff28630ae3f1134ee76f2347397e22da9c84c24 xsa260-4.7/xsa260-2.patch 8469af8ba5b6722738b27c328eccc1d341af49c2e2bb23fe7b327a3349267b0e xsa260-4.7/xsa260-3.patch 0327c2ef7984a4aa000849c68a01181fdb01962637e78629c6fb34bb95414a74 xsa260-4.7/xsa260-4.patch a9be346f111bca3faf98045c089638ba960f291eb9ace03e8922d7b4f8a9b37e xsa260-4.8/xsa260-1.patch 740c0ee49936430fdf66ae8b75f9f51fe728c71a7c7a56667f845aea7669d344 xsa260-4.8/xsa260-2.patch 94dbb7ad7d409f9170950162904247c7cf0e360cec2a0a1f1a6653ce9ca43283 xsa260-4.8/xsa260-3.patch db440d76685cf1e8c332aea2aa13e6be43b1b7f68d9225dfe99bb2ee12e18b9e xsa260-4.8/xsa260-4.patch 11b55f664a4043ed3a79d3e1a07877c68c8c19df6112feffdac1e55547f0002e xsa260-4.9/xsa260-1.patch 38a762f8cf8db763d70f1ef35a4c2cac23282b694527a97b2eaf100a14f767eb xsa260-4.9/xsa260-2.patch 18d9ffd273bdbd070e1b613e7f18ed21cdb874dba5f7964e14bb4a3dbc8844ec xsa260-4.9/xsa260-3.patch c3d689d581c2ce6beaaa9d955f159a3b5da8007a24a08969b0953e89491f15a5 xsa260-4.9/xsa260-4.patch ffac7ab75bf65f8286b37d21cb4a4401d898670a4e52af88d8202ce4fe66edef xsa260-4.10/xsa260-1.patch fe85832a9b5b1076b3a9bdbd28a2f3be57cd019d66a725ce64698b1bd74145a8 xsa260-4.10/xsa260-2.patch 1955aed73828e23da871ef10e5ec49670ce59bdd06af2772e978f8e817e0319f xsa260-4.10/xsa260-3.patch 8f504f8fcf100f8a00bece9c4df8b8933dceeaf29b50492317f9cbf74aaf4aa4 xsa260-4.10/xsa260-4.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJa8dQdAAoJEIP+FMlX6CvZwp4H/AxlMq1xyIAiDNGEESGlJpQh Y0dD9I1dLraUr2tTpaDZM4qUjV2cQ5MRaFeiAxDVCNraNPTLeC5TRStkIMHWc3jK C8/XzRq0lDdebQA04Usj7648HbtAoxkAV1SOOxsqPSBRHb1jPpa2/jvuA3BzCl+o gZo0urWinKlIJ032KWOd/9j96M0YgqqdJ+h2bfSg5uBSdXcQ6at5nYc1T4s3fi2R AQvs8aQ/yylKVsCit+AypcyOMRELNA2jHWEelZ7L18zMGHwTa9qt1NZAL+VM2pMW SKNphOdrCJxVZdGMJlc6ujzxUBgUC7qdfsqprBrKi/4eT+K5I9CvfV21er+7+BA= =0+sm -----END PGP SIGNATURE----- Download attachment "xsa260.meta" of type "application/octet-stream" (2374 bytes) Download attachment "xsa260-unstable/xsa260-1.patch" of type "application/octet-stream" (3019 bytes) Download attachment "xsa260-unstable/xsa260-2.patch" of type "application/octet-stream" (3831 bytes) Download attachment "xsa260-unstable/xsa260-3.patch" of type "application/octet-stream" (4189 bytes) Download attachment "xsa260-unstable/xsa260-4.patch" of type "application/octet-stream" (2891 bytes) Download attachment "xsa260-4.6/xsa260-1.patch" of type "application/octet-stream" (2785 bytes) Download attachment "xsa260-4.6/xsa260-2.patch" of type "application/octet-stream" (3600 bytes) Download attachment "xsa260-4.6/xsa260-3.patch" of type "application/octet-stream" (4917 bytes) Download attachment "xsa260-4.6/xsa260-4.patch" of type "application/octet-stream" (2803 bytes) Download attachment "xsa260-4.7/xsa260-1.patch" of type "application/octet-stream" (2785 bytes) Download attachment "xsa260-4.7/xsa260-2.patch" of type "application/octet-stream" (3662 bytes) Download attachment "xsa260-4.7/xsa260-3.patch" of type "application/octet-stream" (4973 bytes) Download attachment "xsa260-4.7/xsa260-4.patch" of type "application/octet-stream" (2803 bytes) Download attachment "xsa260-4.8/xsa260-1.patch" of type "application/octet-stream" (2805 bytes) Download attachment "xsa260-4.8/xsa260-2.patch" of type "application/octet-stream" (3614 bytes) Download attachment "xsa260-4.8/xsa260-3.patch" of type "application/octet-stream" (5017 bytes) Download attachment "xsa260-4.8/xsa260-4.patch" of type "application/octet-stream" (2809 bytes) Download attachment "xsa260-4.9/xsa260-1.patch" of type "application/octet-stream" (2805 bytes) Download attachment "xsa260-4.9/xsa260-2.patch" of type "application/octet-stream" (3614 bytes) Download attachment "xsa260-4.9/xsa260-3.patch" of type "application/octet-stream" (5025 bytes) Download attachment "xsa260-4.9/xsa260-4.patch" of type "application/octet-stream" (2804 bytes) Download attachment "xsa260-4.10/xsa260-1.patch" of type "application/octet-stream" (2969 bytes) Download attachment "xsa260-4.10/xsa260-2.patch" of type "application/octet-stream" (3614 bytes) Download attachment "xsa260-4.10/xsa260-3.patch" of type "application/octet-stream" (5025 bytes) Download attachment "xsa260-4.10/xsa260-4.patch" of type "application/octet-stream" (2804 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.