Bug 1315711 (CVE-2016-3157, xsa171)
| Summary: | CVE-2016-3157 kernel: xen: Privilege escalation on 64-bit Xen PV domains with IO port access privileges (XSA-171) | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||||
| Severity: | medium | Docs Contact: | |||||||||||
| Priority: | medium | ||||||||||||
| Version: | unspecified | CC: | airlied, aquini, bhu, blc, bskeggs, dhoward, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jkacur, joelsmith, john.j5live, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, linville, mchehab, mcressma, mjg59, mlangsdo, nmurray, rt-maint, rvrbovsk, security-response-team, skozina, steved, williams | ||||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
| Doc Text: |
A flaw in the Linux kernel was found in the way IOPL was handled during context switches in 64-bit Xen PV guests. A local guest user could potentially use this flaw to escalate their privileges in the guest.
|
Story Points: | --- | ||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2021-10-27 10:51:29 UTC | Type: | --- | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Bug Depends On: | 1321948, 1572284 | ||||||||||||
| Bug Blocks: | 1315714 | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Adam Mariš
2016-03-08 12:51:22 UTC
Acknowledgments: Name: Andy Lutomirski Created attachment 1134161 [details]
Patch 1
selftests/x86: Add a iopl test
Created attachment 1134162 [details]
Patch 2
x86/iopl/64: Properly context-switch IOPL on Xen PV
Created attachment 1134163 [details]
Patch 3
x86/iopl: Fix iopl capability check on Xen PV
Note that patches are not yet reviewed. ISSUE DESCRIPTION ================= IRET and POPF do not modify EFLAGS.IOPL when executed by code at a privilege level other than zero. Since PV Xen guests run at privilege level 3 (for 64-bit ones; 32-bit ones run at privilege level 1), to compensate for this the context switching of EFLAGS.IOPL requires the guest to make use of a dedicated hypercall (PHYSDEVOP_set_iopl). The invocation of this hypercall, while present in the 32-bit context switch path, is missing from its 64-bit counterpart. IMPACT ====== User mode processes not supposed to be able to access I/O ports may be granted such permission, potentially resulting in one or more of in-guest privilege escalation, guest crashes (Denial of Service), or in-guest information leaks. VULNERABLE SYSTEMS ================== All upstream x86-64 Linux versions supporting operation as PV Xen guest are vulnerable. ARM, x86 HVM, as well as 32-bit Linux guests are not vulnerable. x86-64 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are not vulnerable. MITIGATION ========== Running only HVM or 32-bit PV guests will avoid this issue. Created attachment 1136129 [details]
xsa171.patch Linux 4.5-rc7, Linux 4.4.x
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1321948] Public via: http://xenbits.xen.org/xsa/advisory-171.html kernel-4.5.0-302.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. kernel-4.5.0-302.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. kernel-4.4.6-301.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. kernel-4.4.6-201.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |