ISSUE DESCRIPTION ================= Supervisor Mode Access Prevention is a hardware feature designed to make an Operating System more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting, and the exception delivery mechanism for 32bit PV guests wasn't whitelisted. IMPACT ====== A malicious 32-bit PV guest kernel can trigger a safety check, crashing the hypervisor and causing a denial of service to other VMs on the host. VULNERABLE SYSTEMS ================== Xen version 4.5 and newer are vulnerable. Versions 4.4 and older are not, due to not having software support for SMAP. The vulnerability is only exposed on x86 hardware supporting the SMAP feature (Intel Broadwell and later CPUs). The vulnerability is not exposed on ARM hardware, or x86 hardware which do not support SMAP. The vulnerability is only exposed to x86 32bit PV guests. The vulnerability is not exposed to 64bit PV guests or HVM guests. MITIGATION ========== Running only HVM guests or 64-bit PV guests, avoids the vulnerability. Disabling SMAP in the hypervisor by booting Xen with "smap=0" on the command line will avoid this vulnerability. (Depending on the circumstances this workaround may pose a small risk of increasing the impact of other, possibly unknown, vulnerabilities.) External References: http://xenbits.xen.org/xsa/advisory-183.html Acknowledgements: Name: the Xen project
Created attachment 1179128 [details] XSA-183 unstable patch
Created attachment 1179129 [details] Xen 4.6 patch
CVE-2016-6259 was assigned to this issue.
Created attachment 1183633 [details] Xen 4.6 patch
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1360359]
xen-4.6.3-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.5.3-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.