Bug 1370322 (CVE-2016-7093, xsa186) - CVE-2016-7093 xen: x86: Mishandling of instruction pointer truncation during emulation
Summary: CVE-2016-7093 xen: x86: Mishandling of instruction pointer truncation during ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-7093, xsa186
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1374471
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-26 00:33 UTC by Jeremy Choi
Modified: 2021-02-17 03:25 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-08 18:40:19 UTC
Embargoed:


Attachments (Terms of Use)
xen-unstable: xsa186-0001-*.patch xsa186-0002-*.patch (2.24 KB, application/mbox)
2016-08-26 00:35 UTC, Jeremy Choi
no flags Details
xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch (2.34 KB, patch)
2016-08-26 00:41 UTC, Jeremy Choi
no flags Details | Diff
xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch (1.43 KB, patch)
2016-08-26 00:42 UTC, Jeremy Choi
no flags Details | Diff
xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch (1.04 KB, patch)
2016-08-26 00:42 UTC, Jeremy Choi
no flags Details | Diff

Description Jeremy Choi 2016-08-26 00:33:58 UTC
ISSUE DESCRIPTION
=================

When emulating HVM instructions, Xen uses a small i-cache for fetches
from guest memory. The code that handles cache misses does not check
if the address from which it fetched lies within the cache before
blindly writing to it. As such it is possible for the guest to
overwrite hypervisor memory.

It is currently believed that the only way to trigger this bug is to
use the way that Xen currently incorrectly wraps CS:IP in 16 bit
modes. The included patch prevents such wrapping.

IMPACT
======

A malicious HVM guest administrator can escalate their privilege to that
of the host.

VULNERABLE SYSTEMS
==================

Xen versions 4.7.0 and later are vulnerable.
Xen releases 4.6.3 and 4.5.3 are vulnerable.

Xen releases 4.6.0 to 4.6.2 inclusive are NOT vulnerable.
Xen releases 4.5.2 and earlier are NOT vulnerable.

The vulnerability is only exposed to HVM guests on x86 hardware.

The vulnerability is not exposed to x86 PV guests, or ARM guests.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

RESOLUTION
==========

Applying the first patch will resolve the issue.

Users wishing to independently verify the correctness of the fix may
find the second patch helpful. The second patch makes it easier to
use the "fep" (Force Emulation Prefix) feature to reproduce the
erroneous condition in a test environment. The "fep" feature requires
explicit enablement on the hypervisor command line, and is unsuitable
for production systems. Accordingly, applying the second patch does
  not affect production systems and does not improve security.

  Xen version First patch Second patch
  xen-unstable: xsa186-0001-*.patch xsa186-0002-*.patch
  Xen 4.7.x: xsa186-0001-*.patch xsa186-4.7-0002-*.patch
  Xen 4.6.3: xsa186-0001-*.patch xsa186-4.6-0002-*.patch
  Xen 4.5.3: xsa186-0001-*.patch xsa186-4.6-0002-*.patch

  $ sha256sum xsa186*
  7fcd5b34b6fee627430536f14b025e93e079ed78f4749cef6d7e1e8ed12727a9 xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
  3f67cb77fce0161f5e42077c5946d737d9be92ed1d89e61c4b15c510f51b2319 xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch
  48271b1a50538f94cb4b14d90a8acbdb573eaa9762b049d230f81f92106d9403 xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
  71ce90a5b164302f9d4c413cfedda7735bb9f0ffd600ce0f0db3d65f166955a5 xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
  $

Comment 1 Jeremy Choi 2016-08-26 00:35:40 UTC
Created attachment 1194169 [details]
xen-unstable: xsa186-0001-*.patch xsa186-0002-*.patch

Comment 2 Jeremy Choi 2016-08-26 00:41:21 UTC
Created attachment 1194170 [details]
xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch

Comment 3 Jeremy Choi 2016-08-26 00:42:05 UTC
Created attachment 1194171 [details]
xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch

Comment 4 Jeremy Choi 2016-08-26 00:42:26 UTC
Created attachment 1194172 [details]
xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch

Comment 5 Andrej Nemec 2016-08-26 10:48:54 UTC
Xen Security Advisory CVE-2016-7093 / XSA-186
version 2

UPDATES IN VERSION 2
====================

CVE assigned.

Comment 6 Martin Prpič 2016-09-08 18:39:41 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1374471]

Comment 7 Martin Prpič 2016-09-08 18:40:19 UTC
External References:

https://xenbits.xen.org/xsa/advisory-186.html

Comment 8 Martin Prpič 2016-09-08 19:02:12 UTC
Acknowledgements:

Name: the Xen project
Upstream: Brian Marcotte

Comment 9 Fedora Update System 2016-09-13 22:21:52 UTC
xen-4.6.3-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2016-09-14 15:55:45 UTC
xen-4.7.0-5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.