ISSUE DESCRIPTION ================= When emulating HVM instructions, Xen uses a small i-cache for fetches from guest memory. The code that handles cache misses does not check if the address from which it fetched lies within the cache before blindly writing to it. As such it is possible for the guest to overwrite hypervisor memory. It is currently believed that the only way to trigger this bug is to use the way that Xen currently incorrectly wraps CS:IP in 16 bit modes. The included patch prevents such wrapping. IMPACT ====== A malicious HVM guest administrator can escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen versions 4.7.0 and later are vulnerable. Xen releases 4.6.3 and 4.5.3 are vulnerable. Xen releases 4.6.0 to 4.6.2 inclusive are NOT vulnerable. Xen releases 4.5.2 and earlier are NOT vulnerable. The vulnerability is only exposed to HVM guests on x86 hardware. The vulnerability is not exposed to x86 PV guests, or ARM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. RESOLUTION ========== Applying the first patch will resolve the issue. Users wishing to independently verify the correctness of the fix may find the second patch helpful. The second patch makes it easier to use the "fep" (Force Emulation Prefix) feature to reproduce the erroneous condition in a test environment. The "fep" feature requires explicit enablement on the hypervisor command line, and is unsuitable for production systems. Accordingly, applying the second patch does not affect production systems and does not improve security. Xen version First patch Second patch xen-unstable: xsa186-0001-*.patch xsa186-0002-*.patch Xen 4.7.x: xsa186-0001-*.patch xsa186-4.7-0002-*.patch Xen 4.6.3: xsa186-0001-*.patch xsa186-4.6-0002-*.patch Xen 4.5.3: xsa186-0001-*.patch xsa186-4.6-0002-*.patch $ sha256sum xsa186* 7fcd5b34b6fee627430536f14b025e93e079ed78f4749cef6d7e1e8ed12727a9 xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch 3f67cb77fce0161f5e42077c5946d737d9be92ed1d89e61c4b15c510f51b2319 xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch 48271b1a50538f94cb4b14d90a8acbdb573eaa9762b049d230f81f92106d9403 xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch 71ce90a5b164302f9d4c413cfedda7735bb9f0ffd600ce0f0db3d65f166955a5 xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch $
Created attachment 1194169 [details] xen-unstable: xsa186-0001-*.patch xsa186-0002-*.patch
Created attachment 1194170 [details] xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch
Created attachment 1194171 [details] xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
Created attachment 1194172 [details] xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
Xen Security Advisory CVE-2016-7093 / XSA-186 version 2 UPDATES IN VERSION 2 ==================== CVE assigned.
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1374471]
External References: https://xenbits.xen.org/xsa/advisory-186.html
Acknowledgements: Name: the Xen project Upstream: Brian Marcotte
xen-4.6.3-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.7.0-5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.