1355983 – (CVE-2016-6259, xsa183) CVE-2016-6259 xsa183 xen: x86: Missing SMAP whitelisting in 32-bit exception / event delivery (XSA-183)

Bug 1355983 (CVE-2016-6259, xsa183) - CVE-2016-6259 xsa183 xen: x86: Missing SMAP whitelisting in 32-bit exception / event delivery (XSA-183)

Summary: CVE-2016-6259 xsa183 xen: x86: Missing SMAP whitelisting in 32-bit exception ...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2016-6259, xsa183
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1360359
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-13 08:20 UTC by Adam Mariš
Modified:	2021-02-17 03:36 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-26 13:48:12 UTC
Embargoed:

Attachments	(Terms of Use)
XSA-183 unstable patch (2.21 KB, patch) 2016-07-13 08:21 UTC, Adam Mariš	no flags	Details \| Diff
Xen 4.6 patch (2.23 KB, patch) 2016-07-13 08:22 UTC, Adam Mariš	no flags	Details \| Diff
Xen 4.6 patch (2.64 KB, patch) 2016-07-25 08:38 UTC, Adam Mariš	no flags	Details \| Diff
Show Obsolete (1) View All

Description Adam Mariš 2016-07-13 08:20:21 UTC

ISSUE DESCRIPTION
=================

Supervisor Mode Access Prevention is a hardware feature designed to make
an Operating System more robust, by raising a pagefault rather than
accidentally following a pointer into userspace.  However, legitimate
accesses into userspace require whitelisting, and the exception delivery
mechanism for 32bit PV guests wasn't whitelisted.

IMPACT
======

A malicious 32-bit PV guest kernel can trigger a safety check, crashing
the hypervisor and causing a denial of service to other VMs on the host.

VULNERABLE SYSTEMS
==================

Xen version 4.5 and newer are vulnerable.  Versions 4.4 and older are
not, due to not having software support for SMAP.

The vulnerability is only exposed on x86 hardware supporting the SMAP
feature (Intel Broadwell and later CPUs).  The vulnerability is not
exposed on ARM hardware, or x86 hardware which do not support SMAP.

The vulnerability is only exposed to x86 32bit PV guests.  The
vulnerability is not exposed to 64bit PV guests or HVM guests.

MITIGATION
==========

Running only HVM guests or 64-bit PV guests, avoids the vulnerability.

Disabling SMAP in the hypervisor by booting Xen with "smap=0" on the
command line will avoid this vulnerability.  (Depending on the
circumstances this workaround may pose a small risk of increasing the
impact of other, possibly unknown, vulnerabilities.)

External References:

http://xenbits.xen.org/xsa/advisory-183.html

Acknowledgements:

Name: the Xen project

Comment 1 Adam Mariš 2016-07-13 08:21:54 UTC

Created attachment 1179128 [details]
XSA-183 unstable patch

Comment 2 Adam Mariš 2016-07-13 08:22:30 UTC

Created attachment 1179129 [details]
Xen 4.6 patch

Comment 3 Andrej Nemec 2016-07-21 11:20:34 UTC

CVE-2016-6259 was assigned to this issue.

Comment 4 Adam Mariš 2016-07-25 08:38:46 UTC

Created attachment 1183633 [details]
Xen 4.6 patch

Comment 5 Adam Mariš 2016-07-26 13:47:23 UTC

Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1360359]

Comment 6 Fedora Update System 2016-08-05 20:54:42 UTC

xen-4.6.3-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2016-08-08 23:53:48 UTC

xen-4.5.3-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.