Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 Feb 2013 16:50:41 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 42 (CVE-2013-0228) - Linux kernel hits
 general protection if %ds is corrupt for 32-bit PVOPS.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2013-0228 / XSA-42
                            version 2

 Linux kernel hits general protection if %ds is corrupt for 32-bit PVOPS.


UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Linux kernel when returning from an iret assumes that %ds segment is safe
and uses it to reference various per-cpu related fields. Unfortunately
the user can modify the LDT and provide a NULL one. Whenever an iret is called
we end up in xen_iret and try to use the %ds segment and cause an
general protection fault.

IMPACT
======

Malicious or buggy unprivileged user space can cause the guest kernel to
crash, or permit a privilege escalation within the guest, or operate
erroneously.

VULNERABLE SYSTEMS
==================

All 32bit PVOPS versions of Linux are affected, since the introduction
of Xen PVOPS support in 2.6.23.  Classic-Xen kernels are not vulnerable.

MITIGATION
==========

This can be mitigated by not running 32bit PVOPS Linux guests.

32bit classic-Xen guests, all 64bit PV guests and all HVM guests are
unaffected.


RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.


$ sha256sum xsa42*.patch
a931fdc161653fb1a3a6d8c1cf6d2c9954c5aec134b610be6e9699552a659eb8  xsa42-pvops-0001-x86-xen-don-t-assume-ds-is-usable-in-xen_iret-for-32.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRG8PxAAoJEIP+FMlX6CvZC3gH/0v/9nr3jXbsMHZlkBRtCx9n
np1ed8btQGpmmk/WqbyLj/KcTNlXLIa1zwhTSPUgXlVIoDPuzstfGXm96gBNfYhS
hl56QYTruhHPAvvrAwE8SNIlMUH+n7Wq1BThkXFU1yBnjXxzTi4SdmUwy4gAA/SE
Xp35RAcIV6IwLRMMY12aat7XKnVx4S5n+gCC5eu0WZ+n73Ecrlqmsq+2X2ZHo3wP
nu9UN+PChmBJHfcA8OhelY/X4X4DV1HNPuFkj9ypyPrvXIrl6M0D5TfGoyRNXMHq
izAn51ro8gTGND6xY+s3auelquKiJkyl/5AXnfd0y9bSewGJS6oxoRzFdctJqxM=
=mgHb
-----END PGP SIGNATURE-----

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ