Bug 1499819 (CVE-2017-15589, xsa239)

Summary: CVE-2017-15589 xsa239 xen: hypervisor stack leak in x86 I/O intercept code (XSA-239)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, drjones, imammedo, jforbes, knoel, m.a.young, mrezanin, pbonzini, rkrcmar, robinlee.sysu, security-response-team, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:27:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1501391    
Bug Blocks:    

Description Adam Mariš 2017-10-09 12:51:24 UTC
ISSUE DESCRIPTION
=================

Intercepted I/O operations may deal with less than a full machine
word's worth of data.  While read paths had been the subject of earlier
XSAs (and hence have been fixed), at least one write path was found
where the data stored into an internal structure could contain bits
from an uninitialized hypervisor stack slot.  A subsequent emulated
read would then be able to retrieve these bits.

IMPACT
======

A malicious unprivileged x86 HVM guest may be able to obtain sensitive
information from the host or other guests.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

Only x86 systems are affected.  ARM systems are not affected.

Only HVM guests can leverage this vulnerability.  PV guests cannot
leverage this vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

External References:

http://xenbits.xen.org/xsa/advisory-239.html

Comment 1 Adam Mariš 2017-10-12 13:42:21 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1501391]

Comment 2 Adam Mariš 2017-10-18 15:05:20 UTC
Acknowledgments:

Name: the Xen project
Upstream: Roger Pau Monné (Citrix)