From http://www.openwall.com/lists/oss-security/2014/11/27/13: Xen Security Advisory CVE-2014-8866 / XSA-111 version 3 Excessive checking in compatibility mode hypercall argument translation UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The hypercall argument translation needed for 32-bit guests running on 64-bit hypervisors performs checks on the final register state. These checks cover all registers potentially holding hypercall arguments, not just the ones actually doing so for the hypercall being processed, since the code was originally intended for use only by PV guests. While this is not a problem for PV guests (as they can't enter 64-bit mode and hence can't alter the high halves of any of the registers), the subsequent reuse of the same functionality for HVM guests exposed those checks to values (specifically, unexpected values for the high halves of registers not holding hypercall arguments) controlled by guest software. IMPACT ====== A buggy or malicious HVM guest can crash the host. VULNERABLE SYSTEMS ================== Xen 3.3 and onward are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests on any version of Xen so far released by xenproject.org. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa111-unstable.patch xen-unstable, Xen 4.4.x xsa111-4.3.patch Xen 4.3.x xsa111-4.2.patch Xen 4.2.x From http://www.openwall.com/lists/oss-security/2014/11/27/14: Xen Security Advisory CVE-2014-8867 / XSA-112 version 5 Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor UPDATES IN VERSION 5 ==================== Public release. ISSUE DESCRIPTION ================= Acceleration support for the "REP MOVS" instruction, when the first iteration accesses memory mapped I/O emulated internally in the hypervisor, incorrectly assumes that the whole range accessed is handled by the same hypervisor sub-component. IMPACT ====== A buggy or malicious HVM guest can crash the host. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2.x onwards are vulnerable on x86 systems. Older versions have not been inspected. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa112-unstable.patch xen-unstable, Xen 4.4.x, Xen 4.3.x xsa112-4.2.patch Xen 4.2.x @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
fixed in xen-4.2.5-r3, xen-4.3.3-r3, xen-4.4.1-r4, see bug 532030
CVE-2014-8867 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8867): The acceleration support for the "REP MOVS" instruction in Xen 4.4.x, 3.2.x, and earlier lacks properly bounds checking for memory mapped I/O (MMIO) emulated in the hypervisor, which allows local HVM guests to cause a denial of service (host crash) via unspecified vectors. CVE-2014-8866 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8866): The compatibility mode hypercall argument translation in Xen 3.3.x through 4.4.x, when running on a 64-bit hypervisor, allows local 32-bit HVM guests to cause a denial of service (host crash) via vectors involving altering the high halves of registers while in 64-bit mode.
Maintainer(s), Thank you for you for cleanup. Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201504-04 at https://security.gentoo.org/glsa/201504-04 by GLSA coordinator Yury German (BlueKnight).
