Bugzilla – Bug 970965
VUL-0: CVE-2016-3157: xen: kernel: Xen Security Advisory XSA-171 I/O port access privilege escalation in x86-64 Linux
Last modified: 2016-05-03 04:43:29 UTC
CRD: 2016-03-16 19:00 UTC
None of our release products are affected afaict.
(In reply to Jan Beulich from comment #2)
> None of our release products are affected afaict.
and this is actually a kernel side issue, not hypervisor or tools.
bugbot adjusting priority
hmm. does it affect any of our kernels? the code looks similar?
See #2. Only SLE12 SP2 and TW would be affected. Depending on whether those need taking care of, the issue here should either be closed or the assignee be changed. Please advise.
then lets assign to michal for SLES 12 SP2 kernel.
(note: still embargoed)
Since SLE12-SP2 is not released, I'll wait until the issue becomes public and possibly until the fix appears in 4.4.y stable.
(In reply to Marcus Meissner from comment #7)
> then lets assign to michal for SLES 12 SP2 kernel.
Well, I would have expected Jürgen to become the assignee then.
Jürgen is indeed the right assignee, but there is no action required right now, as the bug is embargoed and the affected products are not released yet.
Xen Security Advisory CVE-2016-3157 / XSA-171
I/O port access privilege escalation in x86-64 Linux
UPDATES IN VERSION 4
Clarify Vulnerable Systems section.
IRET and POPF do not modify EFLAGS.IOPL when executed by code at a
privilege level other than zero. Since PV Xen guests run at privilege
level 3 (for 64-bit ones; 32-bit ones run at privilege level 1), to
compensate for this the context switching of EFLAGS.IOPL requires the
guest to make use of a dedicated hypercall (PHYSDEVOP_set_iopl). The
invocation of this hypercall, while present in the 32-bit context
switch path, is missing from its 64-bit counterpart.
User mode processes not supposed to be able to access I/O ports may
be granted such permission, potentially resulting in one or more of
in-guest privilege escalation, guest crashes (Denial of Service), or
in-guest information leaks.
All upstream x86-64 Linux versions operating as PV Xen guests are
ARM systems are not vulnerable. x86 HVM guests are not vulnerable.
32-bit Linux guests are not vulnerable.
x86-64 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are
We believe that non-Linux guests are not vulnerable, as we are not
aware of any with an analogous bug.
Running only HVM or 32-bit PV guests will avoid this issue.
This issue was discovered by Andy Lutomirski.
Applying the attached patch resolves this issue for the indicated Linux
xsa171.patch Linux 4.5-rc7, Linux 4.4.x
$ sha256sum xsa171*
Patch is in 4.4.7 and 4.5.1 now.
Upstream patch now in kernel-src.