Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1iQ9Zi-0002qc-7S@xenbits.xenproject.org>
Date: Thu, 31 Oct 2019 12:29:14 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 298 v3 (CVE-2019-18425) - missing
 descriptor table limit checking in x86 PV emulation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-18425 / XSA-298
                               version 3

      missing descriptor table limit checking in x86 PV emulation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When emulating certain PV guest operations, descriptor table accesses
are performed by the emulating code.  Such accesses should respect the
guest specified limits, unless otherwise guaranteed to fail in such a
case.  Without this, emulation of 32-bit guest user mode calls through
call gates would allow guest user mode to install and then use
descriptors of their choice, as long as the guest kernel did not
itself install an LDT.  (Most OSes don't install any LDT by default).

IMPACT
======

32-bit PV guest user mode can elevate its privileges to that of the
guest kernel.

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2 onwards are affected.

Only 32-bit PV guest user mode can leverage this vulnerability.

HVM, PVH, as well as 64-bit PV guests cannot leverage this
vulnerability.

Arm systems are unaffected.

MITIGATION
==========

Running only HVM, PVH, or 64-bit PV guests will avoid this
vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa298.patch           xen-unstable, Xen 4.12.x
xsa298-4.11.patch      Xen 4.11.x
xsa298-4.10.patch      Xen 4.10.x
xsa298-4.9.patch       Xen 4.9.x, Xen 4.8.x, Xen 4.7.x

$ sha256sum xsa298*
82c6f626732f99711212155b280270fe2f6683460299b1a6fc3f70b3932970ce  xsa298.meta
3f422ad83abb54fe6afed460a5982cf1faa1717e51ab19fbf2375be1b5f8f4a3  xsa298.patch
da8d5bad97a46c072dd1715c96401b145cecda14f0303043e6dca313e7ffff0c  xsa298-4.9.patch
92dba14b6a208379c2569b9c1c11438da384ec47db2508b4761af30d74a9403d  xsa298-4.10.patch
d2d8eb5de5601b88f2a6503ecf6bb83207e4b2f17833d61a74fcd185ac7f5a71  xsa298-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2601AMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZk/AH/iLP9TpdOKNoW8fJDuOjlIQHsI0RPtU6KIdSc1a8
nzrcPfwpdP3/89GJQyEHwi5ZZdXAnNcXSK7BC+EEzqznV/VwHRDusCBH0enjUe0z
jDpOsxeI5RsuyJnSFojhI2E+y1khjKtVvnbNWbHzBfWMPD9Inc+nw9Q1KWfpSkk6
TTS8OwR9DwNiVXz9Na+BKuIBOVinFd1wA+HBNZKJl3JCz8N0Oa6RHDKFQQKJ4Uy2
KzBdzm5dWr0xP4stQmnYoU7JobGbcvKyMVMwwryS3cffLyhOLuzCWjDO+n7RkoRy
xWmGWVeQWAeIzqvvtb104NrHSVwVeFSOsen0cqFLvV82MRw=
=tmUK
-----END PGP SIGNATURE-----

Download attachment "xsa298.meta" of type "application/octet-stream" (1718 bytes)

Download attachment "xsa298.patch" of type "application/octet-stream" (3501 bytes)

Download attachment "xsa298-4.9.patch" of type "application/octet-stream" (3322 bytes)

Download attachment "xsa298-4.10.patch" of type "application/octet-stream" (3516 bytes)

Download attachment "xsa298-4.11.patch" of type "application/octet-stream" (3468 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.