Bug 1315711 - (CVE-2016-3157, xsa171) CVE-2016-3157 kernel: xen: Privilege escalation on 64-bit Xen PV domains with IO port access privileges (XSA-171)
CVE-2016-3157 kernel: xen: Privilege escalation on 64-bit Xen PV domains with...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160316,repor...
: Security
Depends On: 1321948
Blocks: 1315714
  Show dependency treegraph
 
Reported: 2016-03-08 07:51 EST by Adam Mariš
Modified: 2016-10-04 00:20 EDT (History)
30 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch 1 (4.11 KB, patch)
2016-03-08 08:00 EST, Adam Mariš
no flags Details | Diff
Patch 2 (2.62 KB, patch)
2016-03-08 08:01 EST, Adam Mariš
no flags Details | Diff
Patch 3 (1.31 KB, patch)
2016-03-08 08:01 EST, Adam Mariš
no flags Details | Diff
xsa171.patch Linux 4.5-rc7, Linux 4.4.x (1.96 KB, patch)
2016-03-14 08:16 EDT, Adam Mariš
no flags Details | Diff

  None (edit)
Description Adam Mariš 2016-03-08 07:51:22 EST
It was reported that any 64-bit Xen PV domain with IO port access privileges and any user programs that use iopl(3) is vulnerable to privilege escalations by unprivileged programs running in the same PV domain.
Comment 1 Adam Mariš 2016-03-08 07:51:41 EST
Acknowledgments:

Name: Andy Lutomirski
Comment 2 Adam Mariš 2016-03-08 08:00 EST
Created attachment 1134161 [details]
Patch 1

selftests/x86: Add a iopl test
Comment 3 Adam Mariš 2016-03-08 08:01 EST
Created attachment 1134162 [details]
Patch 2

x86/iopl/64: Properly context-switch IOPL on Xen PV
Comment 4 Adam Mariš 2016-03-08 08:01 EST
Created attachment 1134163 [details]
Patch 3

x86/iopl: Fix iopl capability check on Xen PV
Comment 5 Adam Mariš 2016-03-08 08:02:28 EST
Note that patches are not yet reviewed.
Comment 6 Adam Mariš 2016-03-14 08:08:24 EDT
ISSUE DESCRIPTION
=================

IRET and POPF do not modify EFLAGS.IOPL when executed by code at a
privilege level other than zero. Since PV Xen guests run at privilege
level 3 (for 64-bit ones; 32-bit ones run at privilege level 1), to
compensate for this the context switching of EFLAGS.IOPL requires the
guest to make use of a dedicated hypercall (PHYSDEVOP_set_iopl). The
invocation of this hypercall, while present in the 32-bit context
switch path, is missing from its 64-bit counterpart.

IMPACT
======

User mode processes not supposed to be able to access I/O ports may
be granted such permission, potentially resulting in one or more of
in-guest privilege escalation, guest crashes (Denial of Service), or
in-guest information leaks.

VULNERABLE SYSTEMS
==================

All upstream x86-64 Linux versions supporting operation as PV Xen guest
are vulnerable.

ARM, x86 HVM, as well as 32-bit Linux guests are not vulnerable.

x86-64 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are
not vulnerable.

MITIGATION
==========

Running only HVM or 32-bit PV guests will avoid this issue.
Comment 7 Adam Mariš 2016-03-14 08:16 EDT
Created attachment 1136129 [details]
xsa171.patch Linux 4.5-rc7, Linux 4.4.x
Comment 8 Andrej Nemec 2016-03-29 08:38:57 EDT
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1321948]
Comment 9 Andrej Nemec 2016-03-29 08:39:22 EDT
Public via:

http://xenbits.xen.org/xsa/advisory-171.html
Comment 10 Fedora Update System 2016-04-01 20:44:56 EDT
kernel-4.5.0-302.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-04-02 11:52:46 EDT
kernel-4.5.0-302.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2016-04-08 11:51:04 EDT
kernel-4.4.6-301.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2016-04-08 16:19:06 EDT
kernel-4.4.6-201.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.