Bug 1315711 (CVE-2016-3157, xsa171) - CVE-2016-3157 kernel: xen: Privilege escalation on 64-bit Xen PV domains with IO port access privileges (XSA-171)
Summary: CVE-2016-3157 kernel: xen: Privilege escalation on 64-bit Xen PV domains with...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-3157, xsa171
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1321948 1572284
Blocks: 1315714
TreeView+ depends on / blocked
 
Reported: 2016-03-08 12:51 UTC by Adam Mariš
Modified: 2021-10-27 10:51 UTC (History)
39 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw in the Linux kernel was found in the way IOPL was handled during context switches in 64-bit Xen PV guests. A local guest user could potentially use this flaw to escalate their privileges in the guest.
Clone Of:
Environment:
Last Closed: 2021-10-27 10:51:29 UTC

Attachments (Terms of Use)
Patch 1 (4.11 KB, patch)
2016-03-08 13:00 UTC, Adam Mariš 		no flags Details | Diff
Patch 2 (2.62 KB, patch)
2016-03-08 13:01 UTC, Adam Mariš 		no flags Details | Diff
Patch 3 (1.31 KB, patch)
2016-03-08 13:01 UTC, Adam Mariš 		no flags Details | Diff
xsa171.patch Linux 4.5-rc7, Linux 4.4.x (1.96 KB, patch)
2016-03-14 12:16 UTC, Adam Mariš 		no flags Details | Diff
Show Obsolete (3) View All

Description Adam Mariš 2016-03-08 12:51:22 UTC 
It was reported that any 64-bit Xen PV domain with IO port access privileges and any user programs that use iopl(3) is vulnerable to privilege escalations by unprivileged programs running in the same PV domain.
Comment 1 Adam Mariš 2016-03-08 12:51:41 UTC 
Acknowledgments:

Name: Andy Lutomirski
Comment 2 Adam Mariš 2016-03-08 13:00:16 UTC 
Created attachment 1134161 [details]
Patch 1

selftests/x86: Add a iopl test
Comment 3 Adam Mariš 2016-03-08 13:01:00 UTC 
Created attachment 1134162 [details]
Patch 2

x86/iopl/64: Properly context-switch IOPL on Xen PV
Comment 4 Adam Mariš 2016-03-08 13:01:41 UTC 
Created attachment 1134163 [details]
Patch 3

x86/iopl: Fix iopl capability check on Xen PV
Comment 5 Adam Mariš 2016-03-08 13:02:28 UTC 
Note that patches are not yet reviewed.
Comment 6 Adam Mariš 2016-03-14 12:08:24 UTC 
ISSUE DESCRIPTION
=================

IRET and POPF do not modify EFLAGS.IOPL when executed by code at a
privilege level other than zero. Since PV Xen guests run at privilege
level 3 (for 64-bit ones; 32-bit ones run at privilege level 1), to
compensate for this the context switching of EFLAGS.IOPL requires the
guest to make use of a dedicated hypercall (PHYSDEVOP_set_iopl). The
invocation of this hypercall, while present in the 32-bit context
switch path, is missing from its 64-bit counterpart.

IMPACT
======

User mode processes not supposed to be able to access I/O ports may
be granted such permission, potentially resulting in one or more of
in-guest privilege escalation, guest crashes (Denial of Service), or
in-guest information leaks.

VULNERABLE SYSTEMS
==================

All upstream x86-64 Linux versions supporting operation as PV Xen guest
are vulnerable.

ARM, x86 HVM, as well as 32-bit Linux guests are not vulnerable.

x86-64 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are
not vulnerable.

MITIGATION
==========

Running only HVM or 32-bit PV guests will avoid this issue.
Comment 7 Adam Mariš 2016-03-14 12:16:59 UTC 
Created attachment 1136129 [details]
xsa171.patch Linux 4.5-rc7, Linux 4.4.x
Comment 8 Andrej Nemec 2016-03-29 12:38:57 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1321948]
Comment 9 Andrej Nemec 2016-03-29 12:39:22 UTC 
Public via:

http://xenbits.xen.org/xsa/advisory-171.html
Comment 10 Fedora Update System 2016-04-02 00:44:56 UTC 
kernel-4.5.0-302.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-04-02 15:52:46 UTC 
kernel-4.5.0-302.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2016-04-08 15:51:04 UTC 
kernel-4.4.6-301.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2016-04-08 20:19:06 UTC 
kernel-4.4.6-201.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.