Bug 1771340 (CVE-2019-18425) - CVE-2019-18425 xen: missing descriptor table limit checking in x86 PV emulation leading to privilege escalation
Summary: CVE-2019-18425 xen: missing descriptor table limit checking in x86 PV emulati...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2019-18425
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1771341
Blocks: 1762982
TreeView+ depends on / blocked
 
Reported: 2019-11-12 08:33 UTC by Marian Rehak
Modified: 2021-02-16 21:05 UTC (History)
23 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-02-24 15:18:19 UTC
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2019-11-12 08:33:19 UTC 
When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT.
Only 32-bit PV guest user mode can leverage this vulnerability.

Upstream advisory and patches:

http://xenbits.xen.org/xsa/advisory-298.html
Comment 1 Marian Rehak 2019-11-12 08:33:34 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1771341]
Comment 2 Eric Christensen 2020-05-06 13:59:29 UTC 
External References:

http://xenbits.xen.org/xsa/advisory-298.html
Note You need to log in before you can comment on or make changes to this bug.