Bug 970965 - (CVE-2016-3157) VUL-0: CVE-2016-3157: xen: kernel: Xen Security Advisory XSA-171 I/O port access privilege escalation in x86-64 Linux
(CVE-2016-3157)
VUL-0: CVE-2016-3157: xen: kernel: Xen Security Advisory XSA-171 I/O port acc...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Jürgen Groß
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-14 13:39 UTC by Victor Pereira
Modified: 2016-05-03 04:43 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
official patch (1.96 KB, patch)
2016-03-14 13:39 UTC, Victor Pereira
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Victor Pereira 2016-03-14 13:40:49 UTC
CRD: 2016-03-16 19:00 UTC
Comment 2 Jan Beulich 2016-03-14 14:54:16 UTC
None of our release products are affected afaict.
Comment 3 Charles Arnold 2016-03-14 17:48:43 UTC
(In reply to Jan Beulich from comment #2)
> None of our release products are affected afaict.

and this is actually a kernel side issue, not hypervisor or tools.
Comment 4 Swamp Workflow Management 2016-03-14 23:01:42 UTC
bugbot adjusting priority
Comment 5 Marcus Meissner 2016-03-15 12:54:05 UTC
hmm. does it affect any of our kernels? the code looks similar?
Comment 6 Jan Beulich 2016-03-15 13:19:17 UTC
See #2. Only SLE12 SP2 and TW would be affected. Depending on whether those need taking care of, the issue here should either be closed or the assignee be changed. Please advise.
Comment 7 Marcus Meissner 2016-03-15 13:27:15 UTC
then lets assign to michal for SLES 12 SP2 kernel.

(note: still embargoed)
Comment 8 Michal Marek 2016-03-15 13:34:29 UTC
Since SLE12-SP2 is not released, I'll wait until the issue becomes public and possibly until the fix appears in 4.4.y stable.
Comment 9 Jan Beulich 2016-03-15 13:35:28 UTC
(In reply to Marcus Meissner from comment #7)
> then lets assign to michal for SLES 12 SP2 kernel.

Well, I would have expected Jürgen to become the assignee then.
Comment 10 Michal Marek 2016-03-15 14:22:09 UTC
Jürgen is indeed the right assignee, but there is no action required right now, as the bug is embargoed and the affected products are not released yet.
Comment 11 Marcus Meissner 2016-03-22 12:10:02 UTC
is public.

Hash: SHA1

            Xen Security Advisory CVE-2016-3157 / XSA-171
                              version 4

         I/O port access privilege escalation in x86-64 Linux

UPDATES IN VERSION 4
====================

Clarify Vulnerable Systems section.

Public release.

ISSUE DESCRIPTION
=================

IRET and POPF do not modify EFLAGS.IOPL when executed by code at a
privilege level other than zero.  Since PV Xen guests run at privilege
level 3 (for 64-bit ones; 32-bit ones run at privilege level 1), to
compensate for this the context switching of EFLAGS.IOPL requires the
guest to make use of a dedicated hypercall (PHYSDEVOP_set_iopl).  The
invocation of this hypercall, while present in the 32-bit context
switch path, is missing from its 64-bit counterpart.

IMPACT
======

User mode processes not supposed to be able to access I/O ports may
be granted such permission, potentially resulting in one or more of
in-guest privilege escalation, guest crashes (Denial of Service), or
in-guest information leaks.

VULNERABLE SYSTEMS
==================

All upstream x86-64 Linux versions operating as PV Xen guests are
vulnerable.

ARM systems are not vulnerable.  x86 HVM guests are not vulnerable.
32-bit Linux guests are not vulnerable.

x86-64 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are
not vulnerable.

We believe that non-Linux guests are not vulnerable, as we are not
aware of any with an analogous bug.

MITIGATION
==========

Running only HVM or 32-bit PV guests will avoid this issue.

CREDITS
=======

This issue was discovered by Andy Lutomirski.

RESOLUTION
==========

Applying the attached patch resolves this issue for the indicated Linux
versions.

xsa171.patch           Linux 4.5-rc7, Linux 4.4.x

$ sha256sum xsa171*
5d47ead1212c735b444ac8f82e7f311cda3473fe3847e576c3772ce020265dfd  xsa171.patch
$
Comment 12 Jürgen Groß 2016-04-13 04:20:38 UTC
Patch is in 4.4.7 and 4.5.1 now.
Comment 13 Jürgen Groß 2016-05-03 04:43:29 UTC
Upstream patch now in kernel-src.