Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603420 (CVE-2016-10013, XSA-204) - <app-emulation/xen-{4.6.4-r4,4.7.1-r4}: x86: Mishandling of SYSCALL singlestep during emulation
Summary: <app-emulation/xen-{4.6.4-r4,4.7.1-r4}: x86: Mishandling of SYSCALL singleste...
Alias: CVE-2016-10013, XSA-204
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on: CVE-2016-10024, XSA-202
  Show dependency tree
Reported: 2016-12-22 04:12 UTC by Aaron Bauman (RETIRED)
Modified: 2017-01-03 05:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Bauman (RETIRED) gentoo-dev 2016-12-22 04:12:24 UTC

CVE assigned.


The typical behaviour of singlestepping exceptions is determined at the
start of the instruction, with a #DB trap being raised at the end of the

SYSCALL (and SYSRET, although we don't implement it) behave differently
because the typical behaviour allows userspace to escalate its
privilege.  (This difference in behaviour seems to be undocumented.)

Xen wrongly raised the exception based on the flags at the start of
the instruction.


Guest userspace which can invoke the instruction emulator can use this
flaw to escalate its privilege to that of the guest kernel.


All Xen versions are affected.

The vulnerability is only exposed to 64-bit x86 HVM guests.

On Xen 4.6 and earlier the vulnerability is exposed to all guest user
processes, including unprivileged processes, in such guests.

On Xen 4.7 and later, the vulnerability is exposed only to guest user
processes granted a degree of privilege (such as direct hardware access)
by the guest administrator; or, to all user processes when the VM has
been explicitly configured with a non-default cpu vendor string (in
xm/xl, this would be done with a `cpuid=' domain config option).

A 64-bit guest kernel which uses an IST for #DB handling will most likely
mitigate the issue, but will have a single unexpected #DB exception
frame to deal with.  This in practice means that Linux is not

The vulnerability is not exposed to 32-bit HVM guests.  This is because
the emulation bug also matches real hardware behaviour, and a 32-bit
guest kernel using SYSCALL will already have to be using a Task Gate for
handling #DB to avoid being susceptible to an escalation of privilege.

The vulnerability is not exposed to PV guests.

ARM systems are not vulnerable.


There is no known mitigation.


Applying the appropriate attached patch resolves this issue.

xsa204.patch           xen-unstable
xsa204-4.8.patch       Xen 4.8.x
xsa204-4.7.patch       Xen 4.7.x, Xen 4.6.x
xsa204-4.5.patch       Xen 4.5.x, Xen 4.4.x
Comment 1 Yixun Lan archtester gentoo-dev 2016-12-22 12:50:41 UTC
already fixed in tree, see bug 601986
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-01-03 05:54:37 UTC
Added to GLSA 201612-56