Bug 1399745 (CVE-2016-9932, xsa200)

Summary: CVE-2016-9932 xsa200 xen: x86 CMPXCHG8B emulation fails to ignore operand size override (XSA-200)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:02:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1404262    
Bug Blocks:    

Description Adam Mariš 2016-11-29 16:01:51 UTC 
ISSUE DESCRIPTION
=================

The x86 instruction CMPXCHG8B is supposed to ignore legacy operand
size overrides; it only honors the REX.W override (making it
CMPXCHG16B).  So, the operand size is always 8 or 16.

When support for CMPXCHG16B emulation was added to the instruction
emulator, this restriction on the set of possible operand sizes was
relied on in some parts of the emulation; but a wrong, fully general,
operand size value was used for other parts of the emulation.

As a result, if a guest uses a supposedly-ignored operand size prefix,
a small amount of hypervisor stack data is leaked to the guests: a 96
bit leak to guests running in 64-bit mode; or, a 32 bit leak to other
guests.

IMPACT
======

A malicious unprivileged guest may be able to obtain sensitive
information from the host.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 through 4.7 are affected. Xen master and Xen 4.8 as
well as Xen versions 3.2 and earlier are not affected.

Only x86 systems are affected. ARM systems are not affected.

On Xen 4.6 and earlier the vulnerability is exposed to all HVM guest
user processes, including unprivileged processes.

On Xen 4.7, the vulnerability is exposed only to HVM guest user
processes granted a degree of privilege (such as direct hardware
access) by the guest administrator; or, to all user processes when the
VM has been explicitly configured with a non-default cpu vendor string
(in xm/xl, this would be done with a `cpuid=' domain config option).

MITIGATION
==========

There is no known mitigation.

External References:

http://xenbits.xen.org/xsa/advisory-200.html

Acknowledgements:

Name: the Xen project
Comment 1 Adam Mariš 2016-12-13 13:41:13 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1404262]