Bug 1399745 (CVE-2016-9932, xsa200) - CVE-2016-9932 xsa200 xen: x86 CMPXCHG8B emulation fails to ignore operand size override (XSA-200)
Summary: CVE-2016-9932 xsa200 xen: x86 CMPXCHG8B emulation fails to ignore operand siz...
Alias: CVE-2016-9932, xsa200
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1404262
TreeView+ depends on / blocked
Reported: 2016-11-29 16:01 UTC by Adam Mariš
Modified: 2019-09-29 14:01 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-08 03:02:49 UTC

Attachments (Terms of Use)

Description Adam Mariš 2016-11-29 16:01:51 UTC

The x86 instruction CMPXCHG8B is supposed to ignore legacy operand
size overrides; it only honors the REX.W override (making it
CMPXCHG16B).  So, the operand size is always 8 or 16.

When support for CMPXCHG16B emulation was added to the instruction
emulator, this restriction on the set of possible operand sizes was
relied on in some parts of the emulation; but a wrong, fully general,
operand size value was used for other parts of the emulation.

As a result, if a guest uses a supposedly-ignored operand size prefix,
a small amount of hypervisor stack data is leaked to the guests: a 96
bit leak to guests running in 64-bit mode; or, a 32 bit leak to other


A malicious unprivileged guest may be able to obtain sensitive
information from the host.


Xen versions 3.3 through 4.7 are affected. Xen master and Xen 4.8 as
well as Xen versions 3.2 and earlier are not affected.

Only x86 systems are affected. ARM systems are not affected.

On Xen 4.6 and earlier the vulnerability is exposed to all HVM guest
user processes, including unprivileged processes.

On Xen 4.7, the vulnerability is exposed only to HVM guest user
processes granted a degree of privilege (such as direct hardware
access) by the guest administrator; or, to all user processes when the
VM has been explicitly configured with a non-default cpu vendor string
(in xm/xl, this would be done with a `cpuid=' domain config option).


There is no known mitigation.

External References:



Name: the Xen project

Comment 1 Adam Mariš 2016-12-13 13:41:13 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1404262]

Note You need to log in before you can comment on or make changes to this bug.