Bug 1164255 (CVE-2014-8867, xsa112)

Summary: CVE-2014-8867 xen: Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor (xsa112)
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dhoward, drjones, mrezanin, nmurray, pbonzini, rvrbovsk, security-response-team, vkuznets
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An insufficient bound checking flaw was found in the Xen hypervisor's implementation of acceleration support for the "REP MOVS" instructions. A privileged HVM guest user could potentially use this flaw to crash the host.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:48:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1164256    
Bug Blocks: 1164260    
Attachments:
Description Flags
upstream patch none

Description Petr Matousek 2014-11-14 13:27:25 UTC 
Acceleration support for the "REP MOVS" instruction, when the first
iteration accesses memory mapped I/O emulated internally in the
hypervisor, incorrectly assumes that the whole range accessed is
handled by the same hypervisor sub-component.

A buggy or malicious HVM guest can crash the host.

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue.
Comment 2 Petr Matousek 2014-11-14 13:28:23 UTC 
Statement:

This issue does affect the versions of the kernel-xen package as shipped with
Red Hat Enterprise Linux 5. Future kernel-xen updates for Red Hat Enterprise
Linux 5 may address this issue.
Comment 6 Vincent Danen 2014-11-20 23:44:59 UTC 
Created attachment 959509 [details]
upstream patch
Comment 7 Martin Prpič 2015-04-07 08:55:53 UTC 
External References:

http://xenbits.xen.org/xsa/advisory-112.html
Comment 8 errata-xmlrpc 2015-04-07 15:12:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:0783 https://rhn.redhat.com/errata/RHSA-2015-0783.html