Bug 1771340 (CVE-2019-18425) - CVE-2019-18425 xen: missing descriptor table limit checking in x86 PV emulation leading to privilege escalation
Summary: CVE-2019-18425 xen: missing descriptor table limit checking in x86 PV emulati...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2019-18425
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1771341
Blocks: 1762982
TreeView+ depends on / blocked
 
Reported: 2019-11-12 08:33 UTC by Marian Rehak
Modified: 2020-05-06 13:59 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was in Xen. Guest specified limits for descriptor table access, during PV guest operations, were found to not be enforced. An attacker with the ability to emulate 32-bit guest user mode calls through call gates, would be allowed to install and then use descriptors of their choice as long as the guest kernel did not, itself, install an LDT. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-02-24 15:18:19 UTC


Attachments (Terms of Use)

Description Marian Rehak 2019-11-12 08:33:19 UTC
When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT.
Only 32-bit PV guest user mode can leverage this vulnerability.

Upstream advisory and patches:

http://xenbits.xen.org/xsa/advisory-298.html

Comment 1 Marian Rehak 2019-11-12 08:33:34 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1771341]

Comment 2 Eric Christensen 2020-05-06 13:59:29 UTC
External References:

http://xenbits.xen.org/xsa/advisory-298.html


Note You need to log in before you can comment on or make changes to this bug.