Bug 1402759 (CVE-2016-10025, xsa203)

Summary: CVE-2016-10025 xsa203 xen: x86: missing NULL pointer check in VMFUNC emulation (XSA-203)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:03:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1406840    
Bug Blocks:    

Description Adam Mariš 2016-12-08 09:53:33 UTC 
ISSUE DESCRIPTION
=================

When support for the Intel VMX VMFUNC leaf 0 was added, a new optional
function pointer hvmemul_vmfunc was added to the hvm_emulate_ops
table.  As is intended, that new function pointer is NULL on non-VMX
hardware, including AMD SVM hardware.  However at a call site, the
necessary NULL check was omitted before the indirect function call.

IMPACT
======

Malicious guests may cause a hypervisor crash, resulting in a Denial
of Service (DoS).

VULNERABLE SYSTEMS
==================

Xen versions 4.6 and newer are vulnerable.  Xen versions 4.5 and earlier
are not vulnerable.

Only HVM guests can exploit the vulnerability.  PV guests cannot exploit
the vulnerability.

Only x86 systems using SVM (AMD virtualisation extensions) rather than
VMX (Intel virtualisation extensions) are vulnerable.  This applies to
HVM guests on AMD x86 CPUs.  Therefore AMD x86 hardware is vulnerable;
Intel hardware is not vulnerable.

ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

Running HVM guests on only VMX capable hardware will also avoid this
vulnerability.

External References:

http://xenbits.xen.org/xsa/advisory-203.html

Acknowledgements:

Name: the Xen project
Comment 1 Adam Mariš 2016-12-21 15:31:55 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1406840]