ISSUE DESCRIPTION ================= The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Specifically data on the rings shared between qemu and the hypervisor (which the guest under control can obtain mappings of) can be fetched twice (during which time the guest can alter the contents) possibly leading to arbitrary code execution in qemu. IMPACT ====== Malicious administrators can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process. In a system not using a device model stub domain (or other techniques for deprivileging qemu), malicious guest administrators can thus elevate their privilege to that of the host. VULNERABLE SYSTEMS ================== All Xen versions with all flavors of qemu are affected. Only x86 HVM guests expose the vulnerability. x86 PV guests do not expose the vulnerability. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid the vulnerability. Enabling stubdomains will mitigate this issue, by reducing the escalation to only those privileges accorded to the service domain. In a usual configuration, a service domain has only the privilege of the guest, so this eliminates the vulnerability. The vulnerability can be avoided if the guest kernel is controlled by the host rather than guest administrator, provided that further steps are taken to prevent the guest administrator from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. External References: http://xenbits.xen.org/xsa/advisory-197.html Acknowledgements: Name: the Xen project Upstream: yanghongke (Huawei Security Test Team)
Created attachment 1218538 [details] qemu-upstream Xen 4.4.x
Created attachment 1218539 [details] qemu-traditional Xen 4.5.x, Xen 4.4.x
Created attachment 1218541 [details] qemu-upstream Xen 4.5.x
Created attachment 1218542 [details] qemu-upstream Xen 4.6.x
Created attachment 1218544 [details] qemu-traditional xen-unstable, Xen 4.7.x, Xen 4.6.x
Created attachment 1218545 [details] qemu-upstream xen-unstable, Xen 4.7.x
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1397383]
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1397385]
Upstream qemu commit: commit b85f9dfdb156ae2a2a52f39a36e9f1f270614cd2 Author: Jan Beulich <JBeulich> Date: Tue Nov 22 05:56:51 2016 -0700 xen: fix ioreq handling