Bug 1332657 (CVE-2016-4480, xsa176) - CVE-2016-4480 xsa176 xen: x86 software guest page walk PS bit handling flaw (XSA-176)
Summary: CVE-2016-4480 xsa176 xen: x86 software guest page walk PS bit handling flaw (...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-4480, xsa176
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-03 16:32 UTC by Adam Mariš
Modified: 2021-02-17 03:56 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:51:09 UTC


Attachments (Terms of Use)

Description Adam Mariš 2016-05-03 16:32:38 UTC
ISSUE DESCRIPTION
=================

The Page Size (PS) page table entry bit exists at all page table levels
other than L1.  Its meaning is reserved in L4, and conditionally
reserved in L3 and L2 (depending on hardware capabilities).  The
software page table walker in the hypervisor, however, so far ignored
that bit in L4 and (on respective hardware) L3 entries, resulting in
pages to be treated as page tables which the guest OS may not have
designated as such.  If the page in question is writable by an
unprivileged user, then that user will be able to map arbitrary guest
memory.

IMPACT
======

On vulnerable OSes, guest user mode code may be able to establish
mappings of arbitrary memory inside the guest, allowing it to elevate
its privileges inside the guest.

VULNERABLE SYSTEMS
==================

All Xen versions expose the vulnerability.

ARM systems are not vulnerable.  x86 PV guests are not vulnerable.

To be vulnerable, a system must have both a vulnerable hypervisor, and
a vulnerable guest operating system, i.e. ones which make non-standard
use of the PS bit.  We are not aware of any vulnerable guest operating
systems, but we cannot rule it out.  We have checked with maintainers
of the following operating systems, all of whom have said that to the
best of their knowledge their operating system is not vulnerable:
Linux, FreeBSD, NetBSD, and OpenBSD.  Nor has it been observed in
common proprietary operating systems.

MITIGATION
==========

Running only PV guests will avoid this issue.

External References:

http://xenbits.xen.org/xsa/advisory-176.html

Acknowledgements:

Name: the Xen project

Comment 1 Andrej Nemec 2016-05-17 14:02:58 UTC
Public via:

http://seclists.org/oss-sec/2016/q2/354

Comment 2 Fedora Update System 2016-05-21 20:27:29 UTC
xen-4.6.1-9.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2016-05-28 23:21:29 UTC
xen-4.5.3-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2016-05-28 23:54:53 UTC
xen-4.5.3-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.