Date: Wed, 17 Feb 2016 12:28:04 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 170 (CVE-2016-2271) - VMX: guest user mode may crash guest with non-canonical RIP -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-2271 / XSA-170 version 3 VMX: guest user mode may crash guest with non-canonical RIP UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= VMX refuses attempts to enter a guest with an instruction pointer which doesn't satisfy certain requirements. In particular, the instruction pointer needs to be canonical when entering a guest currently in 64-bit mode. This is the case even if the VM entry information specifies an exception to be injected immediately (in which case the bad instruction pointer would possibly never get used for other than pushing onto the exception handler's stack). Provided the guest OS allows user mode to map the virtual memory space immediately below the canonical/non- canonical address boundary, a non-canonical instruction pointer can result even from normal user mode execution. VM entry failure, however, is fatal to the guest. IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest. VULNERABLE SYSTEMS ================== All Xen versions are affected. Only systems using Intel or Cyrix CPUs are affected. ARM and AMD systems are unaffected. Only HVM guests are affected. MITIGATION ========== Running only PV guests will avoid this vulnerability. Running HVM guests on only AMD hardware will also avoid this vulnerability. CREDITS ======= This issue was discovered by Ling Liu of Qihoo 360 Inc. RESOLUTION ========== Applying the appropriate attached patch works around this issue. Note that it does so in a way which isn't architecturally correct, but no better solution has been found (nor suggested by Intel). xsa170.patch xen-unstable, Xen 4.6.x xsa170-4.5.patch Xen 4.5.x, Xen 4.4.x xsa170-4.3.patch Xen 4.3.x $ sha256sum xsa170* 77b4b14b2c93da5f68e724cf74e1616f7df2e78305f66d164b3de2d980221a9a xsa170.patch b35679bf7a35615d827efafff8d13c35ceec1184212e3c8ba110722b9ae8426f xsa170-4.3.patch 1df068fb439c7edc1e86dfa9ea3b9ae99b58cdc3ac874b96cdf63b26ef9a6b98 xsa170-4.5.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWxGa0AAoJEIP+FMlX6CvZ3rkIAIo+pvKqkNbHjalgGpP4BVe7 +7tuVnL74wt5Dt4AuOFyPLnEaHbp5UkIKK++eP/urFCz5+/LbOqcWnfiQdWMLQ/t 17NX2CMSYUCwUAkMMjvbKvGM3W8AJ85naIQho9KQSPbY1/Q51jDS5bLT06B2iRr4 njML2ii2OhOTGAvC2XmnidFNvLGQxlfeeC75O9dbCFENSYn5WbdmHonTnK8qm22H eEvLlzg4D6yAmEaqHHZJ3bz1qtTw5FDNm/0tdZ1LO7lMuK01nMHSMmWG/Agc7219 lQH22N0+YTtgQKf65QciEThEnvTeDpeq84m64GqVhwzwssl1JrywrSsVkaQOnKA= =Ca+d -----END PGP SIGNATURE----- Download attachment "xsa170.patch" of type "application/octet-stream" (3187 bytes) Download attachment "xsa170-4.3.patch" of type "application/octet-stream" (3139 bytes) Download attachment "xsa170-4.5.patch" of type "application/octet-stream" (3189 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ