It was reported that any 64-bit Xen PV domain with IO port access privileges and any user programs that use iopl(3) is vulnerable to privilege escalations by unprivileged programs running in the same PV domain.
Name: Andy Lutomirski
Created attachment 1134161 [details]
selftests/x86: Add a iopl test
Created attachment 1134162 [details]
x86/iopl/64: Properly context-switch IOPL on Xen PV
Created attachment 1134163 [details]
x86/iopl: Fix iopl capability check on Xen PV
Note that patches are not yet reviewed.
IRET and POPF do not modify EFLAGS.IOPL when executed by code at a
privilege level other than zero. Since PV Xen guests run at privilege
level 3 (for 64-bit ones; 32-bit ones run at privilege level 1), to
compensate for this the context switching of EFLAGS.IOPL requires the
guest to make use of a dedicated hypercall (PHYSDEVOP_set_iopl). The
invocation of this hypercall, while present in the 32-bit context
switch path, is missing from its 64-bit counterpart.
User mode processes not supposed to be able to access I/O ports may
be granted such permission, potentially resulting in one or more of
in-guest privilege escalation, guest crashes (Denial of Service), or
in-guest information leaks.
All upstream x86-64 Linux versions supporting operation as PV Xen guest
ARM, x86 HVM, as well as 32-bit Linux guests are not vulnerable.
x86-64 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are
Running only HVM or 32-bit PV guests will avoid this issue.
Created attachment 1136129 [details]
xsa171.patch Linux 4.5-rc7, Linux 4.4.x
Created xen tracking bugs for this issue:
Affects: fedora-all [bug 1321948]
kernel-4.5.0-302.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
kernel-4.4.6-301.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
kernel-4.4.6-201.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.