Bugzilla – Bug 970965
VUL-0: CVE-2016-3157: xen: kernel: Xen Security Advisory XSA-171 I/O port access privilege escalation in x86-64 Linux
Last modified: 2016-05-03 04:43:29 UTC
CRD: 2016-03-16 19:00 UTC
None of our release products are affected afaict.
(In reply to Jan Beulich from comment #2) > None of our release products are affected afaict. and this is actually a kernel side issue, not hypervisor or tools.
bugbot adjusting priority
hmm. does it affect any of our kernels? the code looks similar?
See #2. Only SLE12 SP2 and TW would be affected. Depending on whether those need taking care of, the issue here should either be closed or the assignee be changed. Please advise.
then lets assign to michal for SLES 12 SP2 kernel. (note: still embargoed)
Since SLE12-SP2 is not released, I'll wait until the issue becomes public and possibly until the fix appears in 4.4.y stable.
(In reply to Marcus Meissner from comment #7) > then lets assign to michal for SLES 12 SP2 kernel. Well, I would have expected Jürgen to become the assignee then.
Jürgen is indeed the right assignee, but there is no action required right now, as the bug is embargoed and the affected products are not released yet.
is public. Hash: SHA1 Xen Security Advisory CVE-2016-3157 / XSA-171 version 4 I/O port access privilege escalation in x86-64 Linux UPDATES IN VERSION 4 ==================== Clarify Vulnerable Systems section. Public release. ISSUE DESCRIPTION ================= IRET and POPF do not modify EFLAGS.IOPL when executed by code at a privilege level other than zero. Since PV Xen guests run at privilege level 3 (for 64-bit ones; 32-bit ones run at privilege level 1), to compensate for this the context switching of EFLAGS.IOPL requires the guest to make use of a dedicated hypercall (PHYSDEVOP_set_iopl). The invocation of this hypercall, while present in the 32-bit context switch path, is missing from its 64-bit counterpart. IMPACT ====== User mode processes not supposed to be able to access I/O ports may be granted such permission, potentially resulting in one or more of in-guest privilege escalation, guest crashes (Denial of Service), or in-guest information leaks. VULNERABLE SYSTEMS ================== All upstream x86-64 Linux versions operating as PV Xen guests are vulnerable. ARM systems are not vulnerable. x86 HVM guests are not vulnerable. 32-bit Linux guests are not vulnerable. x86-64 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are not vulnerable. We believe that non-Linux guests are not vulnerable, as we are not aware of any with an analogous bug. MITIGATION ========== Running only HVM or 32-bit PV guests will avoid this issue. CREDITS ======= This issue was discovered by Andy Lutomirski. RESOLUTION ========== Applying the attached patch resolves this issue for the indicated Linux versions. xsa171.patch Linux 4.5-rc7, Linux 4.4.x $ sha256sum xsa171* 5d47ead1212c735b444ac8f82e7f311cda3473fe3847e576c3772ce020265dfd xsa171.patch $
Patch is in 4.4.7 and 4.5.1 now.
Upstream patch now in kernel-src.