1771340 – (CVE-2019-18425) CVE-2019-18425 xen: missing descriptor table limit checking in x86 PV emulation leading to privilege escalation

Bug 1771340 (CVE-2019-18425) - CVE-2019-18425 xen: missing descriptor table limit checking in x86 PV emulation leading to privilege escalation

Summary: CVE-2019-18425 xen: missing descriptor table limit checking in x86 PV emulati...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2019-18425
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1771341
Blocks:	1762982
TreeView+	depends on / blocked

Reported:	2019-11-12 08:33 UTC by Marian Rehak
Modified:	2021-02-16 21:05 UTC (History)
CC List:	23 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was in Xen. Guest specified limits for descriptor table access, during PV guest operations, were found to not be enforced. An attacker with the ability to emulate 32-bit guest user mode calls through call gates, would be allowed to install and then use descriptors of their choice as long as the guest kernel did not, itself, install an LDT. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2020-02-24 15:18:19 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2019-11-12 08:33:19 UTC

When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT.
Only 32-bit PV guest user mode can leverage this vulnerability.

Upstream advisory and patches:

http://xenbits.xen.org/xsa/advisory-298.html

Comment 1 Marian Rehak 2019-11-12 08:33:34 UTC

Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1771341]

Comment 2 Eric Christensen 2020-05-06 13:59:29 UTC

External References:

http://xenbits.xen.org/xsa/advisory-298.html

Note You need to log in before you can comment on or make changes to this bug.

acaringi
ailan
bhu
brdeoliv
dhoward
drjones
dvlasenk
fhrbata
hkrzesin
imammedo
jforbes
jshortt
jstancek
knoel
m.a.young
mrezanin
nmurray
pbonzini
rkrcmar
robinlee.sysu
rvrbovsk
vkuznets
xen-maint