[3.4] xen: Security issues (CVE-2016-3157, CVE-2016-3158, CVE-2016-3159, CVE-2016-3960, CVE-2016-3961)
CVE-2016-3157, XSA-171: I/O port access privilege escalation in x86-64 Linux
IRET and POPF do not modify EFLAGS.IOPL when executed by code at a
privilege level other than zero. Since PV Xen guests run at privilege
level 3 (for 64-bit ones; 32-bit ones run at privilege level 1), to
compensate for this the context switching of EFLAGS.IOPL requires the
guest to make use of a dedicated hypercall (PHYSDEVOP_set_iopl). The
invocation of this hypercall, while present in the 32-bit context
switch path, is missing from its 64-bit counterpart.
References:
http://xenbits.xen.org/xsa/advisory-171.html
CVE-2016-3158, CVE-2016-3159, XSA-172: broken AMD FPU FIP/FDP/FOP leak workaround
There is a workaround in Xen to deal with the fact that AMD CPUs don’t
load the x86 registers FIP (and possibly FCS), FDP (and possibly FDS),
and FOP from memory (via XRSTOR or FXRSTOR) when there is no pending
unmasked exception. (See XSA-52.)
However, this workaround does not cover all possible input cases.
This is because writes to the hardware FSW.ES bit, which the current
workaround is based on, are ignored; instead, the CPU calculates
FSW.ES from the pending exception and exception mask bits. Xen
therefore needs to do the same.
References:
http://xenbits.xen.org/xsa/advisory-172.html
CVE-2016-3960, XSA-173: x86 shadow pagetables: address width overflow
In the x86 shadow pagetable code, the guest frame number of a
superpage mapping is stored in a 32-bit field. If a shadowed guest
can cause a superpage mapping of a guest-physical address at or above
2^44 to be shadowed, the top bits of the address will be lost, causing
an assertion failure or NULL dereference later on, in code that
removes the shadow.
References:
http://xenbits.xen.org/xsa/advisory-173.html
CVE-2016-3961: hugetlbfs use may crash PV Linux guests
Huge (2Mb) pages are generally unavailable to PV guests. Since x86
Linux pvops-based kernels are generally multi purpose, they would
normally be built with hugetlbfs support enabled. Use of that
functionality by an application in a PV guest would cause an
infinite page fault loop, and an OOPS to occur upon an attempt to
terminate the hung application.
References:
http://xenbits.xen.org/xsa/advisory-174.html
(from redmine: issue id 5489, created on 2016-04-25, closed on 2016-05-10)
- Relations:
- parent #5488 (closed)
- Changesets:
- Revision 40a3ee6c on 2016-05-09T12:36:00Z:
main/xen: security fixes (CVE-2016-3158, CVE-2016-3159, CVE-2016-3960). Fixes #5489
- Revision 7be5a1ac on 2016-05-09T13:31:07Z:
main/linux-grsec: security fixes (CVE-2016-3157, CVE-2016-3961). Fixes #5489
- Revision b23dbe4b on 2016-05-09T14:24:21Z:
main/linux-vanilla: security fixes (CVE-2016-3157, CVE-2016-3961). Fixes #5489