Bug 1370322 (CVE-2016-7093, xsa186)

Summary: CVE-2016-7093 xen: x86: Mishandling of instruction pointer truncation during emulation
Product: [Other] Security Response Reporter: Jeremy Choi <jechoi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anemec, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-08 18:40:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1374471    
Bug Blocks:    
Attachments:
Description Flags
xen-unstable: xsa186-0001-*.patch xsa186-0002-*.patch
none
xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch
none
xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
none
xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch none

Description Jeremy Choi 2016-08-26 00:33:58 UTC 
ISSUE DESCRIPTION
=================

When emulating HVM instructions, Xen uses a small i-cache for fetches
from guest memory. The code that handles cache misses does not check
if the address from which it fetched lies within the cache before
blindly writing to it. As such it is possible for the guest to
overwrite hypervisor memory.

It is currently believed that the only way to trigger this bug is to
use the way that Xen currently incorrectly wraps CS:IP in 16 bit
modes. The included patch prevents such wrapping.

IMPACT
======

A malicious HVM guest administrator can escalate their privilege to that
of the host.

VULNERABLE SYSTEMS
==================

Xen versions 4.7.0 and later are vulnerable.
Xen releases 4.6.3 and 4.5.3 are vulnerable.

Xen releases 4.6.0 to 4.6.2 inclusive are NOT vulnerable.
Xen releases 4.5.2 and earlier are NOT vulnerable.

The vulnerability is only exposed to HVM guests on x86 hardware.

The vulnerability is not exposed to x86 PV guests, or ARM guests.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

RESOLUTION
==========

Applying the first patch will resolve the issue.

Users wishing to independently verify the correctness of the fix may
find the second patch helpful. The second patch makes it easier to
use the "fep" (Force Emulation Prefix) feature to reproduce the
erroneous condition in a test environment. The "fep" feature requires
explicit enablement on the hypervisor command line, and is unsuitable
for production systems. Accordingly, applying the second patch does
  not affect production systems and does not improve security.

  Xen version First patch Second patch
  xen-unstable: xsa186-0001-*.patch xsa186-0002-*.patch
  Xen 4.7.x: xsa186-0001-*.patch xsa186-4.7-0002-*.patch
  Xen 4.6.3: xsa186-0001-*.patch xsa186-4.6-0002-*.patch
  Xen 4.5.3: xsa186-0001-*.patch xsa186-4.6-0002-*.patch

  $ sha256sum xsa186*
  7fcd5b34b6fee627430536f14b025e93e079ed78f4749cef6d7e1e8ed12727a9 xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
  3f67cb77fce0161f5e42077c5946d737d9be92ed1d89e61c4b15c510f51b2319 xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch
  48271b1a50538f94cb4b14d90a8acbdb573eaa9762b049d230f81f92106d9403 xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
  71ce90a5b164302f9d4c413cfedda7735bb9f0ffd600ce0f0db3d65f166955a5 xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
  $
Comment 1 Jeremy Choi 2016-08-26 00:35:40 UTC 
Created attachment 1194169 [details]
xen-unstable: xsa186-0001-*.patch xsa186-0002-*.patch
Comment 2 Jeremy Choi 2016-08-26 00:41:21 UTC 
Created attachment 1194170 [details]
xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch
Comment 3 Jeremy Choi 2016-08-26 00:42:05 UTC 
Created attachment 1194171 [details]
xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
Comment 4 Jeremy Choi 2016-08-26 00:42:26 UTC 
Created attachment 1194172 [details]
xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
Comment 5 Andrej Nemec 2016-08-26 10:48:54 UTC 
Xen Security Advisory CVE-2016-7093 / XSA-186
version 2

UPDATES IN VERSION 2
====================

CVE assigned.
Comment 6 Martin Prpič 2016-09-08 18:39:41 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1374471]
Comment 7 Martin Prpič 2016-09-08 18:40:19 UTC 
External References:

https://xenbits.xen.org/xsa/advisory-186.html
Comment 8 Martin Prpič 2016-09-08 19:02:12 UTC 
Acknowledgements:

Name: the Xen project
Upstream: Brian Marcotte
Comment 9 Fedora Update System 2016-09-13 22:21:52 UTC 
xen-4.6.3-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2016-09-14 15:55:45 UTC 
xen-4.7.0-5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.