Bug 1370332 (CVE-2016-7094, xsa187)

Summary: CVE-2016-7094 xen: x86 HVM: Overflow of sh_ctxt->seg_reg[]
Product: [Other] Security Response Reporter: Jeremy Choi <jechoi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:57:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1374473    
Bug Blocks:    
Attachments:
Description Flags
xsa187 patchset none

Description Jeremy Choi 2016-08-26 01:34:34 UTC
ISSUE DESCRIPTION
=================

x86 HVM guests running with shadow paging use a subset of the x86 emulator to
handle the guest writing to its own pagetables. There are situations a guest
can provoke which result in exceeding the space allocated for internal state.


IMPACT
======

A malicious HVM guest administrator can cause Xen to fail a bug check,
causing a denial of service to the host.


VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

The vulnerability is only exposed to HVM guests on x86 hardware, which are
configured to run with shadow paging.

The vulnerability is not exposed to x86 PV guests, x86 HVM guests running with
hardware assisted paging, or ARM guests.


x86 HVM guests run in HAP mode by default on modern CPUs.

To discover whether your HVM guests are using HAP, or shadow page
tables: request debug key `q' (from the Xen console, or with
`xl debug-keys q'). This will print (to the console, and visible in
`xl dmesg'), debug information for every domain, containing something
like this:

(XEN) General information for domain 2:
(XEN) refcnt=1 dying=2 pause_count=2
(XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400
(XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000
(XEN) paging assistance: hap refcounts translate external
^^^
The presence of `hap' here indicates that the host is not
vulnerable to this domain. For an HVM domain the presence of `shadow'
indicates that the domain can exploit the vulnerability.


MITIGATION
==========

Running only PV guests will avoid this vulnerability.

On hardware which supports Hardware Assisted Paging, configuring the
guests to not run with shadow paging will avoid this vulnerability.


RESOLUTION
==========

Applying the first patch will resolve this issue.

The second patch provides additional assurance that the vulnerability
is truly eliminated and that there are no related problems.

If hotpatching, applying only the first patch is recommended since the
second patch is awkward for hotpatching. If deploying new builds,
applying both patches is recommended.

Xen version First patch Second patch
xen-unstable: xsa187-0001-*.patch xsa187-0002-*.patch
Xen 4.7.x: xsa187-4.7-0001-*.patch xsa187-4.7-0002-*.patch
Xen 4.6.x: xsa187-4.7-0001-*.patch xsa187-4.6-0002-*.patch
Xen 4.5.x: xsa187-4.7-0001-*.patch xsa187-4.6-0002-*.patch
Xen 4.4.x: xsa187-4.7-0001-*.patch xsa187-4.4-0002-*.patch

$ sha256sum xsa187*
c0c506c1a7c8113a8148a6e32c85ba16b924cbc277a74fec0c0609740e236b51 xsa187-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch
be130a1ed3be2be9bff47ba2037716a0845c253d859bf7fef4e5099b44b24e03 xsa187-0002-x86-segment-Bounds-check-accesses-to-emulation-ctxt-.patch
424d5aafb5353ba526b3afa9337470bef60b3c4a207432da540d760b1060b7c0 xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
66293fc729f881195d8cc54c90e909cd344f0f396227f84091dd324b266c28e1 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
f7c7a34de629e1a994701ab1a75f5d6b13b20d5c487855d4db19c8fc83cd46ac xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
3c968ad9806af8bd94579afebe48cbad60b8fc94826d8c6c2b65bfde56d79e3c xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
$

Comment 1 Jeremy Choi 2016-08-26 01:36:39 UTC
Created attachment 1194181 [details]
xsa187 patchset

Comment 2 Andrej Nemec 2016-08-26 10:51:51 UTC
Xen Security Advisory CVE-2016-7094 / XSA-187
version 2

UPDATES IN VERSION 2
====================

CVE assigned.

Comment 3 Martin Prpič 2016-09-08 18:41:09 UTC
External References:

https://xenbits.xen.org/xsa/advisory-187.html

Comment 4 Martin Prpič 2016-09-08 18:41:47 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1374473]

Comment 5 Martin Prpič 2016-09-08 19:05:54 UTC
Acknowledgements:

Name: the Xen project
Upstream: Andrew Cooper (Citrix)

Comment 6 Fedora Update System 2016-09-13 22:21:56 UTC
xen-4.6.3-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2016-09-14 15:55:50 UTC
xen-4.7.0-5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.