[kernel-xen] Xen Security Advisory 67 (CVE-2013-4368) - Information leak through outs instruction emulation

Steven Haigh netwiz at crc.id.au
Fri Oct 11 02:42:39 EST 2013


             Xen Security Advisory CVE-2013-4368 / XSA-67
                              version 2

         Information leak through outs instruction emulation

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The emulation of the outs instruction for 64-bit PV guests uses an
uninitialized variable as the segment base for the source data if an FS:
or GS: segment override is used, and if the segment descriptor the
respective non-null selector in the corresponding selector register
points to cannot be read by the emulation code (this is possible if the
segment register was loaded before a more recent GDT or LDT update, i.e.
the segment register contains stale data).

A malicious guest might be able to get hold of contents of the
hypervisor stack, through the fault address passed to the page fault
handler if the outs raises such a fault (which is mostly under guest
control).  Other methods for indirectly deducing information also exist.

IMPACT
======

A malicious 64-bit PV guest might conceivably gain access to sensitive
data relating to other guests.

VULNERABLE SYSTEMS
==================

Xen 3.1.x and later are vulnerable.

Only 64-bit PV guests can take advantage of this vulnerability.

MITIGATION
==========

Running only HVM or 32-bit PV guests will avoid this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and Matthew Daley.

RESOLUTION
==========

Fixed in xen-4.2.3-4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20131011/5b98b51e/attachment.sig>


More information about the kernel-xen mailing list