Bug 1406259 (CVE-2016-10013, xsa204) - CVE-2016-10013 xen: x86: Mishandling of SYSCALL singlestep during emulation (XSA-204)
Summary: CVE-2016-10013 xen: x86: Mishandling of SYSCALL singlestep during emulation (...
Alias: CVE-2016-10013, xsa204
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1406260
Blocks: 1406261
TreeView+ depends on / blocked
Reported: 2016-12-20 07:13 UTC by Martin Prpič
Modified: 2021-02-17 02:51 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-02-26 11:41:59 UTC

Attachments (Terms of Use)

Description Martin Prpič 2016-12-20 07:13:15 UTC

The typical behaviour of singlestepping exceptions is determined at the start of the instruction, with a #DB trap being raised at the end of the instruction.

SYSCALL (and SYSRET, although we don't implement it) behave differently because the typical behaviour allows userspace to escalate its privilege. (This difference in behaviour seems to be undocumented.)

Xen wrongly raised the exception based on the flags at the start of the instruction.


Guest userspace which can invoke the instruction emulator can use this flaw to escalate its privilege to that of the guest kernel.


All Xen versions are affected.

The vulnerability is only exposed to 64-bit x86 HVM guests.

On Xen 4.6 and earlier the vulnerability is exposed to all guest user processes, including unprivileged processes, in such guests.

On Xen 4.7 and later, the vulnerability is exposed only to guest user processes granted a degree of privilege (such as direct hardware access) by the guest administrator; or, to all user processes when the VM has been explicitly configured with a non-default cpu vendor string (in xm/xl, this would be done with a `cpuid=' domain config option).

A 64-bit guest kernel which uses an IST for #DB handling will most likely mitigate the issue, but will have a single unexpected #DB exception frame to deal with. This in practice means that Linux is not vulnerable.

The vulnerability is not exposed to 32-bit HVM guests. This is because the emulation bug also matches real hardware behaviour, and a 32-bit guest kernel using SYSCALL will already have to be using a Task Gate for handling #DB to avoid being susceptible to an escalation of privilege.

The vulnerability is not exposed to PV guests.

ARM systems are not vulnerable.

External References:



Name: the Xen project

Comment 1 Martin Prpič 2016-12-20 07:14:58 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1406260]

Note You need to log in before you can comment on or make changes to this bug.