Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 601986 (CVE-2016-10024, XSA-202) - <app-emulation/xen-{4.6.4-r4,4.7.1-r4}: x86 PV guests may be able to mask interrupts
Summary: <app-emulation/xen-{4.6.4-r4,4.7.1-r4}: x86 PV guests may be able to mask int...
Alias: CVE-2016-10024, XSA-202
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa cve]
Depends on:
Blocks: CVE-2016-10025, XSA-203 CVE-2016-10013, XSA-204
  Show dependency tree
Reported: 2016-12-08 14:02 UTC by Aaron Bauman (RETIRED)
Modified: 2016-12-31 16:18 UTC (History)
1 user (show)

See Also:
Package list:
=app-emulation/xen-4.7.1-r4 =app-emulation/xen-pvgrub-4.7.1-r1 =app-emulation/xen-tools-4.7.1-r4
Runtime testing required: ---
kensington: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Bauman (RETIRED) gentoo-dev 2016-12-08 14:02:46 UTC

Certain PV guest kernel operations (page table writes in particular)
need emulation, and use Xen's general x86 instruction emulator.  This
allows a malicious guest kernel which asynchronously modifies its
instruction stream to effect the clearing of EFLAGS.IF from the state
used to return to guest context.


A malicious guest kernel administrator can cause a host hang or
crash, resulting in a Denial of Service.


All Xen versions are vulnerable.

Only x86 PV guests can exploit the vulnerability.

Neither ARM guests nor x86 HVM guests can exploit the vulnerability.


Running only HVM guests will avoid the vulnerability.

For PV guests the vulnerability can be avoided if the guest kernel is
controlled by the host rather than guest administrator, provided that
further steps are taken to prevent the guest administrator from loading
code into the kernel (e.g. by disabling loadable modules etc) or from
using other mechanisms which allow them to run code at kernel privilege.


Applying the appropriate attached patch resolves this issue.

xsa202.patch           xen-unstable, Xen 4.8.x, Xen 4.7.x
xsa202-4.6.patch       Xen 4.6.x, Xen 4.5.x
xsa202-4.4.patch       Xen 4.4.x

$ sha256sum xsa202*
057be742acfef200ba6f094a5dce486dd1c4e15013afe3efc963523ce2ec9cbb  xsa202.patch
cd53dc8b761dc7eb60998ea2419c98af926aa62b4317dbef15f597f5554f9015  xsa202-4.4.patch
e007187639f5392a9256979504d50eff0ae38309a61524ea42c4150fab38b6f4  xsa202-4.6.patch


Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-12-22 04:07:39 UTC
@maintainer, please proceed.
Comment 2 Yixun Lan archtester gentoo-dev 2016-12-22 12:47:59 UTC
commit 759e56ed0bd502aecb397a0e0d585e74b4447eb0
Author: Yixun Lan <>
Date:   Tue Dec 20 23:54:44 2016 +0800

    app-emulation/xen: security bump, fix XSA-202,203,204

    Gento-Bug: 601986, 601988

    Package-Manager: Portage-2.3.3, Repoman-2.3.1

:100644 100644 24b2ee46aa... fd25026812... M    app-emulation/xen/Manifest
:000000 100644 0000000000... e077b5598a... A    app-emulation/xen/xen-4.6.4-r4.ebuild
:000000 100644 0000000000... e077b5598a... A    app-emulation/xen/xen-4.7.1-r4.ebuild
:100644 100644 ca48cdafac... 28479d7a29... R099 app-emulation/xen/xen-4.8.0.ebuild      app-emulation/xen/xen-4.8.0-r1.ebuild
Comment 3 Yixun Lan archtester gentoo-dev 2016-12-22 12:49:48 UTC
Arches, please test and mark stable:
Target keyword only: "amd64"
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-23 00:53:37 UTC
@ Maintainer(s): v4.6.x, which you also bumped to add the updated patch set, is also affected. Do you really want to stabilize only v4.7.x? So you are going to remove v4.6.x afterwards? Otherwise we need to stabilize =app-emulation/xen-4.6.4-r4 as well...
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-24 09:47:57 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-25 13:22:44 UTC
@ Arches,

maintainer(s) have decided to move to 4.7.x branch. Please stabilize


as well.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-12-26 12:57:53 UTC
=app-emulation/xen-pvgrub-4.7.1-r1 stabilized.

amd64 is good now.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-26 19:10:42 UTC
x86 stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-26 21:09:46 UTC
Added to existing GLSA.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-12-31 16:18:06 UTC
This issue was resolved and addressed in
 GLSA 201612-56 at
by GLSA coordinator Thomas Deutschmann (whissi).