Bug 1392934 (CVE-2016-9384, xsa194)

Summary: CVE-2016-9384 xsa194 xen: guest 32-bit ELF symbol table load leaking host data (XSA-194)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-07 10:20:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1397383    
Bug Blocks: 1392955    
Description Flags
xen-unstable, Xen 4.7.x none

Description Adam Mariš 2016-11-08 13:56:14 UTC

Along with their main kernel binary, unprivileged guests may arrange
to have their Xen environment load (kernel) symbol tables for their
use.  The ELF image metadata created for this purpose has a few unused
bytes when the symbol table binary is in 32-bit ELF format.  These
unused bytes were not properly cleared during symbol table loading.


A malicious unprivileged guest may be able to obtain sensitive
information from the host.

The information leak is small and not under the control of the guest,
so effectively exploiting this vulnerability is probably difficult.


Only Xen version 4.7 is affected.  Xen versions 4.6 and earlier are not

The vulnerability is not exposed to x86 HVM guests, unless the host
toolstack has configured to load the guest with a non-default loader,
rather than hvmloader.


There is no known mitigation.

External References:



Name: the Xen project
Upstream: Roger Pau Monné (Citrix)

Comment 1 Adam Mariš 2016-11-08 14:39:15 UTC
Created attachment 1218534 [details]
xen-unstable, Xen 4.7.x

Comment 2 Martin Prpič 2016-11-22 12:25:18 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1397383]