1370322 – (CVE-2016-7093, xsa186) CVE-2016-7093 xen: x86: Mishandling of instruction pointer truncation during emulation

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1370322 (CVE-2016-7093, xsa186) - CVE-2016-7093 xen: x86: Mishandling of instruction pointer truncation during emulation

Summary: CVE-2016-7093 xen: x86: Mishandling of instruction pointer truncation during ...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2016-7093, xsa186
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1374471
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-26 00:33 UTC by Jeremy Choi
Modified:	2021-02-17 03:25 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-09-08 18:40:19 UTC
Embargoed:

Attachments	(Terms of Use)
*xen-unstable: xsa186-0001-.patch xsa186-0002-.patch* (deleted) 2016-08-26 00:35 UTC, Jeremy Choi	no flags	Details
xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch (deleted) 2016-08-26 00:41 UTC, Jeremy Choi	no flags	Details \| Diff
xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch (deleted) 2016-08-26 00:42 UTC, Jeremy Choi	no flags	Details \| Diff
xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch (deleted) 2016-08-26 00:42 UTC, Jeremy Choi	no flags	Details \| Diff
View All

Description Jeremy Choi 2016-08-26 00:33:58 UTC

ISSUE DESCRIPTION
=================

When emulating HVM instructions, Xen uses a small i-cache for fetches
from guest memory. The code that handles cache misses does not check
if the address from which it fetched lies within the cache before
blindly writing to it. As such it is possible for the guest to
overwrite hypervisor memory.

It is currently believed that the only way to trigger this bug is to
use the way that Xen currently incorrectly wraps CS:IP in 16 bit
modes. The included patch prevents such wrapping.

IMPACT
======

A malicious HVM guest administrator can escalate their privilege to that
of the host.

VULNERABLE SYSTEMS
==================

Xen versions 4.7.0 and later are vulnerable.
Xen releases 4.6.3 and 4.5.3 are vulnerable.

Xen releases 4.6.0 to 4.6.2 inclusive are NOT vulnerable.
Xen releases 4.5.2 and earlier are NOT vulnerable.

The vulnerability is only exposed to HVM guests on x86 hardware.

The vulnerability is not exposed to x86 PV guests, or ARM guests.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

RESOLUTION
==========

Applying the first patch will resolve the issue.

Users wishing to independently verify the correctness of the fix may
find the second patch helpful. The second patch makes it easier to
use the "fep" (Force Emulation Prefix) feature to reproduce the
erroneous condition in a test environment. The "fep" feature requires
explicit enablement on the hypervisor command line, and is unsuitable
for production systems. Accordingly, applying the second patch does
  not affect production systems and does not improve security.

  Xen version First patch Second patch
  xen-unstable: xsa186-0001-*.patch xsa186-0002-*.patch
  Xen 4.7.x: xsa186-0001-*.patch xsa186-4.7-0002-*.patch
  Xen 4.6.3: xsa186-0001-*.patch xsa186-4.6-0002-*.patch
  Xen 4.5.3: xsa186-0001-*.patch xsa186-4.6-0002-*.patch

  $ sha256sum xsa186*
  7fcd5b34b6fee627430536f14b025e93e079ed78f4749cef6d7e1e8ed12727a9 xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
  3f67cb77fce0161f5e42077c5946d737d9be92ed1d89e61c4b15c510f51b2319 xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch
  48271b1a50538f94cb4b14d90a8acbdb573eaa9762b049d230f81f92106d9403 xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
  71ce90a5b164302f9d4c413cfedda7735bb9f0ffd600ce0f0db3d65f166955a5 xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
  $

Comment 1 Jeremy Choi 2016-08-26 00:35:40 UTC

Created attachment 1194169 [details]
xen-unstable: xsa186-0001-*.patch xsa186-0002-*.patch

Comment 2 Jeremy Choi 2016-08-26 00:41:21 UTC

Created attachment 1194170 [details]
xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch

Comment 3 Jeremy Choi 2016-08-26 00:42:05 UTC

Created attachment 1194171 [details]
xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch

Comment 4 Jeremy Choi 2016-08-26 00:42:26 UTC

Created attachment 1194172 [details]
xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch

Comment 5 Andrej Nemec 2016-08-26 10:48:54 UTC

Xen Security Advisory CVE-2016-7093 / XSA-186
version 2

UPDATES IN VERSION 2
====================

CVE assigned.

Comment 6 Martin Prpič 2016-09-08 18:39:41 UTC

Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1374471]

Comment 7 Martin Prpič 2016-09-08 18:40:19 UTC

External References:

https://xenbits.xen.org/xsa/advisory-186.html

Comment 8 Martin Prpič 2016-09-08 19:02:12 UTC

Acknowledgements:

Name: the Xen project
Upstream: Brian Marcotte

Comment 9 Fedora Update System 2016-09-13 22:21:52 UTC

xen-4.6.3-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2016-09-14 15:55:45 UTC

xen-4.7.0-5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.