Bug 1499824 (CVE-2017-15594, xsa244)

Summary: CVE-2017-15594 xsa244 xen: x86: Incorrect handling of IST settings during CPU hotplug (XSA-244)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ailan, drjones, imammedo, jforbes, knoel, m.a.young, mrezanin, pbonzini, rkrcmar, robinlee.sysu, security-response-team, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:27:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1501391    
Bug Blocks:    

Description Adam Mariš 2017-10-09 12:51:52 UTC
ISSUE DESCRIPTION
=================

The x86-64 architecture allows interrupts to be run on distinct stacks.
The choice of stack is encoded in a field of the corresponding
interrupt descriptor in the Interrupt Descriptor Table (IDT).  That
field selects an entry from the active Task State Segment (TSS).

Since, on AMD hardware, Xen switches to an HVM guest's TSS before
actually entering the guest, with the Global Interrupt Flag still set,
the selectors in the IDT entry are switched when guest context is
loaded/unloaded.

When a new CPU is brought online, its IDT is copied from CPU0's IDT,
including those selector fields.  If CPU0 happens at that moment to be
in HVM context, wrong values for those IDT fields would be installed
for the new CPU.  If the first guest vCPU to be run on that CPU
belongs to a PV guest, it will then have the ability to escalate its
privilege or crash the hypervisor.

IMPACT
======

A malicious or buggy x86 PV guest could escalate its privileges or
crash the hypervisor.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been checked.

Only PV guests can exploit the vulnerability.  HVM guests cannot
exploit the vulnerability, but their presence is necessary for the
exposure of the vulnerability to PV guests.

Only x86 systems using SVM (AMD virtualisation extensions) rather than
VMX (Intel virtualisation extensions) are vulnerable.  Therefore AMD
x86 hardware is vulnerable; Intel hardware is not vulnerable.

ARM systems are not vulnerable.

MITIGATION
==========

Avoiding to online CPUs at runtime will avoid this vulnerability.

Running only HVM or only PV guests on any individual host will also
avoid this vulnerability.

External References:

http://xenbits.xen.org/xsa/advisory-244.html

Comment 1 Adam Mariš 2017-10-12 13:42:09 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1501391]

Comment 2 Adam Mariš 2017-10-18 14:42:09 UTC
Acknowledgments:

Name: the Xen project
Upstream: Andrew Cooper (Citrix)